20. Authentication schemes

IPplan supports either its own internal authentication scheme, or an external scheme based on the Apache webservers authentication modules. To use an external scheme, change the setting in the config.php file. Next, place the relevant .htaccess file in the IPplan user subdirectory (/ipplan/user). Do not place an equivalent file in the admin subdirectory as the admin account cannot be overridden.

Note

When using the external authentication method, IPplan never prompts for a userid and password. It is the responsibility of the external module to do the prompting, if any. IPplan uses the credentials supplied and matches them to the IPplan userid records to determine if access should be granted.

Important

The relevant users requiring access to IPplan must still be created via the IPplan admin interface, but no password information is required as this is overridden by the external authenticator.

If the user is removed from the external authenticators database (ldap, radius etc), the user will no longer be able to log in to IPplan even if the account still exists in IPplan. This scheme only handles single signon and password changes, not single point of administration.

Make sure that the external authenticator only returns the userid in the php REMOTE_USER variable. Ldap (or auth_ldap) by default will return the entire DN, but this can be configured to return only the userid. From the auth_ldap docs at http://www.rudedog.org/auth_ldap/1.6/auth_ldap.html ensure that the AuthLDAPRemoteUserIsDN is set correctly. You will also need to look at the AuthLDAPGroupAttributeIsDN attribute.

Read the instructions in config.php carefully for debug tips.

External authentication was tested against SiteMinder and the Apache auth_ldap module. The CAS authentication module is also supported - there are special config.php variables to support this configuration.

Warning

THE HTTP BASIC AUTHENTICATION SCHEME DOES NOT ENCRYPT USER-IDS AND PASSWORDS TRANSMITTED TO THE WEBSERVER - IT IS RECOMMENDED THAT IPPLAN IS INSTALLED ON AN SSL PROTECTED WEBSERVER ON PRODUCTION SYSTEMS.