Skip to main content
T
TLC-IT
Inspiring
July 15, 2009
Answered

LDAP (Active Directory) querying "the current user"

  • July 15, 2009
  • 3 replies
  • 3547 views

I've reviewed a lot of stuff on this but I'd appreciate a summary answer of this (no doubt...) FAQ:

Using CF (latest & greatest) on an (I presume) IIS server, I want to be able to auto-detect the Windows identity of "the currently logged-on Windows user" and, by means of LDAP (Active Directory) queries, determine his attributes and group-memberships for authentication purposes.  The user would not be challenged to enter any sort of user-name or password on his own.  (This is strictly an intra-net application and always will be.)

In the Apache Server environment with mod_ldap, I know that reliable information about the currently logged-on user can be obtained from environment variables with which to do subsequent LDAP queries.  But I'm a little fuzzy on what I might expect/use in this situation.

Pointers?  Hyperlinks?  Tips?

This topic has been closed for replies.
Correct answer ilssac

With Windows IIS on a Windows Server on a Windows domain to a Windows client using a Windows browser it can be easily done.

If the "Windows Integrated Security" option is selected in the IIS administrator and "Anymous Logon" is NOT selected, then the cgi.auth_user variable will be poplulate by the web server with the domain/username of the user logged into the client machine.

It is quite simple to access this cgi.auth_user value and use it in a <CFLDAP...> tag to read the active directory record for other information about that user.

3 replies

T
TLC-ITAuthor
Inspiring
July 15, 2009

Yep, I found this juicy post from February 19th shortly after posting... http://forums.adobe.com/thread/203351

Seems to be the "cookbook" that I was looking for but did not quite take the time to find.

ilssac
ilssacCorrect answer
Inspiring
July 15, 2009

With Windows IIS on a Windows Server on a Windows domain to a Windows client using a Windows browser it can be easily done.

If the "Windows Integrated Security" option is selected in the IIS administrator and "Anymous Logon" is NOT selected, then the cgi.auth_user variable will be poplulate by the web server with the domain/username of the user logged into the client machine.

It is quite simple to access this cgi.auth_user value and use it in a <CFLDAP...> tag to read the active directory record for other information about that user.

D
Dan_Bracuk
Inspiring
July 15, 2009

Look at your cgi variables.  Anything promising show up?

T
TLC-ITAuthor
Inspiring
July 15, 2009

I am of course aware of CGI.AUTH_USER, et al, which will reliably tell me who the user is.  But I'm not certain that this is sufficient information to allow me to execute an LDAP query against this information, to find group-memberships and such.

Hmmm...  maybe it is.  I'm somehow thinking that the user's password must be supplied ... or some password ... but the more that I think about it now, maybe that's not the case.

I'll have to go back into my source-code archives and remind myself of how I once did this very thing in Perl.

Yup... sure 'nuf, it's a FAQ:  http://forums.adobe.com/thread/203351 seems to sum it up rather well.

Ahh, "senior moments."  I guess I need to get used to ... to ... uhh, what was I talking about?

ilssac
ilssac
Inspiring
July 15, 2009

No the password will not be supplied in the CGI scope.  For our systems we do not use the users password to access their ldap record.  We have a ColdFusion user in Active Directory that is used to access the users record and read their group and other data from active directory.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices