Basic AD & CFLDAP question

[Balance]

I need to authenticate AD users in my CF app. All of the articles I've read
about this assume the username and password combo are supplied (ie:
username='#form.username#' password='#form.password#') to the CFLDAP tag in
some fashion. My question is, how can I retrieve the username and password of
an AD user? Is this is a CGI variable? TIA

[ajpowellatl]

This is easiest on IIS. Using windows authentication will produce two cgi
variables for you: cgi.auth_user and cgi.auth_password. Using windows auth. on
IIS with IE will produce a seamless experience for you users. No prompts for
passwords with that solution. If you are not using windows authentication or
not using IIS, then you will have to pass the variables through the browser in
a form. If you are not using IE, and are using IIS, you will be presented with
a popup asking for u/p.

When you are authenticating to AD via CFLDAP, the username will be in the
format [email]username@full.domainname.what[/email]ever as you have it set in AD. See the
example below:


our AD domain is acs01.danddaviation.com

<cfldap action="QUERY"
name="users"
attributes="givenname, sn, department, mail"
start="cn=users,dc=acs01,dc=danddaviation,dc=com"
server="192.168.0.10"
port="389"
filter="(search criteria here)"
username="user@acs01.danddaviation.com"
password="mypasswordgoeshere"
sort="sn" />

[Balance]

Thanks a lot for your reply.

Shouldn't the username value in your CFLDAP call look like this, though:

username='#cgi.auth_user#'
password='#cgi.auth_password#'

Thanks again

[philh]

Folks, if basic authentication is turned off, AUTH_PASSWORD is not populated
(with good reason). If you need to authenticate to AD, why don't you administer
security through the resource itself, i.e. restrict access with AD groups?

[Balance]

OK. So, again, how can I check the AD username and password of a specific user
account with CF? We need to integrate our app in a 'single sign-on' environment
where authentication is handled with AD (but authorization would be handled in
our CF app).

[ajpowellatl]

If you want the single sign on, then you will have to turn the basic
authentication on in the IIS settings. Otherwise, there is no real way to do
it. There is a required interaction between the browser and server.

[philh]

OK, before my diatribe, I assume the application, the Web and data servers, and
the DC are in the same domain/forest/group of trusted domains. I fail to see
the distinction between authentication to AD and authorization to your app. An
account that successfully signs in to a domain is unique. The user can't access
the network until authenticated. Once authenticated, the account can enjoy
access to all of the resources to which they are authorized through membership
in AD groups. The only thing you need to know is who they are, not what their
password is. AUTH_USER is populated in all non-anonymous environments; you can
determine who the user is by reading that variable. If it seems I'm suggesting
you control application access through AD group membership, you're absolutely
right. That's the right thing to do in this environment. There's no need to
query AD; simply grant access to the resources (ColdFusion templates, images,
folders, whatever) to the relevant AD group(s), and forget about it. My $0.02