CMS Made Simple Forums

Well, it killed my saturday week-end, but I think it was the worth. 

I've setup an OpenLDAP, and hacked my (UniformServer) Apache2 to use mod_auth_sspi, configured my virtual hosts,
and finally hacked CustomContent, using some tips I learned while suffering with WebSphere LDAP integration :

- so my user is now automatically authentified using NTLM/Integrated Authentication (ie, Windows Login credentials): user login is in $_SERVER['REMOTE_USER'];
- I can serve CustomContent according to the user or his belonging to a group, through LDAP

- and I can populate lists in my cmsms usertags, using LDAP queries to read groups

This should work with IIS instead of Apache (this thing was invented by Microsoft...), and Active Directory instead of OpenLDAP.

The code is ugly so far, but it will go nicer...

I'm NOT publishing it right now 'cause I want to conduct some tests against an AD first.

Here are my problems:

Problem #1 right now is to find an AD I can query through LDAP... Do you know any (I googled for this, but no success) ? If you have one, can you open it for me through your firewall (I have a fixed IP) ?

Problem #2 would be to find some beta-testers.... so we can validate together it works in other environments

Problem #3 will be to put all this in a nice container - I've not being thinking so far about using this from other modules, apart from CustomContent... I'll / we'll have to decide wether to put this in a Tag or a Module (it involves some configuration...)

Tell me what you think of this / if you can bring me an AD / are interested !!!

(Proud) Fred 

Hello Fred,

Good news ! Feel free to add to/update the fresh LDAP tips entry in the wiki :
http://wiki.cmsmadesimple.org/index.php ... And_Tricks

An LDAP directory could already be used to replace the builtin user management. (authentication).
Now you have hints to "serve CustomContent according to the user or his belonging to a group, through LDAP". (content)

"Tell me what you think of this". OK (sorry if I'm rude) :
-I don't care Microsoft specific things. I care about RFC and Internet norms. To me, LDAP integration is very useful and AD/IIS/NTLM is useless. Of course "YMMV".
-You should populate the forum or the wiki asap
-again : your work is good news.

Pierre M.

Hmmm... I'm not sure I've been very clear, hence this update... This integration means SSO.

So users don't have to log in CMSMS, as the server already knows them (their Windows login - can someone tell me about linux login ?), and you don't have to maintain a Users directory anymore. If you need to, you still can login to the server using a htpassword-like window, then authenticating against the LDAP directory

Of course, it was created by MS, but it shouldn't mean it's bad by design. Anyway, my 500+ customers (mainly IT Managers) love this kind of all-in-one login and user management.

Has anybody an AD server out-there ?

Fred

Thank you Fred for the clarification. I was mistaking your point.

Hmm... I understand Microsoft customers like this feature. But they would be limited to their intranets. I think they'd buy microsoft.com/cmserver/ or SharePoint rather than CMSms to do webcasting administrated from anywhere on the Internet (and its non Windoze terminals).

Still, as I've written, your work may be good for everybody as you offer to "serve CustomContent according to the user or his belonging to a group, through LDAP". May be you could split SSO from private content delivery ? Or is CustomContent already doing this ?

Pierre M.

How did you integrate all this with CustomContent? It required some hacking of original code, right? I'm saying this because CustomContent depends on FrontEnd users.

I suggest you create another project on the forge and rename the module to something like CustomContentLDAP or something (to avoid confusion).

Well I've not been working on this topic these last weeks... So it seems to turn to be just some proof of concept about SSO & Apache auth_sspi. And yes, it means hacking (but not so severely) CustomContent.
But I will definitely think about creating a new module for this if ever needed... unless V2 changes all this ! Btw, organizing a way to hack modules (some kind of "User Exits") would be nice...