Skip to main content
February 12, 2008
Question

CFLDAP query - use to authenticate network user

  • February 12, 2008
  • 3 replies
  • 3525 views
Greeting

I have set up a successful cfldap query which will return all users in Active Directory.

If the user has logged into the network, I want them to give them a view of certain data that someone outside the network cannot access.

I tried to send the internal user through an authentication page:

<cfldap action="QUERY"
name="results"
attributes="userPrincipalName" (which is their email address)
start="dc=xxxx,dc=xxxx"
scope="SUBTREE"
filter="(&(objectCategory=user)(userPrincipalName=*))"
server="DC1.xxxx"
username="master\administrator"
password="xxxx">

This queries the AD as the admin because a second login by the user is what I am trying to avoid.

<CFIF .........?>

<cfset Session.user_id = results.userPrincipalName>

<cflocation url="switchboard.cfm" addtoken="No">

<cfelse>

<cflocation url="cannotauthenticate.cfm" addtoken="No">


</CFIF>

Is there any way to accomplish this?

Thanks

rinorman
This topic has been closed for replies.

3 replies

February 25, 2008
Michael:

Thanks for your response.

My original intent was to try to avoid a second login screen for users already logged onto the network- so they would be allowed an internal view of data vs the outside view.

The LDAP query method does return all users, but there is no way I know of to compare the results of the query to anything- IOW if the user is in AD and they are logged on, let them see the data without the need to use another Windows logon prompt, even though it's the same un pw as their NT un pw.

I hope I cleared up what it is I'm trying to do.

Thanks again

rinorman
Participating Frequently
February 25, 2008
You have two issues.

1. You need to use Windows Integrated Authentication to ensure that an internal person doesn't have to log in twice.

2. You need to determine what will control access to your resources. I would suggest using domain groups to control the access.

Your CFLDAP query should pass the user's username and password and filter on sAMAccountname = "CGI.auth_user". That would return only the logged-in user's information, such as "memberOf" to get the group membership.
Participant
January 22, 2018

Hello Michael,

Do you have any reference Docs on how to use IWA with aem? How IWA communicates with AEM?

Thanks,

February 12, 2008
Thanks for you response. I do have a windows server, however, when I tried initiating IWA , it prompts for a un and pw anyway.

This may have something to do with the network configuration?

We have a Watchguard firewall through which the webserver needs to pass to see the AD on DC1?

Thanks again...



Participating Frequently
February 24, 2008
I'm not really sure what you are trying to do. You can query AD, via CFLDAP, to retrieve information about the account.

If you are trying to authentication the user, you only need to use Windows or browser authentication. This will bounce against AD automatically. However, if you create a custom login form, you can use LDAP to authenticate the user.

If you create your own login form, you can still attempt to run the CFLDAP tag using the user's username/password, rather than an admin's username/password. Wrap the CFLDAP tag in CFTRY/CFCATCH to handle any errors.
tclaremont
Inspiring
February 12, 2008
Are you using a windows server? Why not just make use of Integrated Windows Authentication?
Participant
January 22, 2018

Hello tclaremont,

Do you have any reference Docs of how to use IWA with aem?

Thanks,