Configuring Authentication Services

Access to the HAN system can be controlled through HAN’s authentication services.

These are predefined HAN modules that detect user identity based on an authentication source.

The following can be used as authentication sources: • NT login

• IP address/host name check • LDAP login

• ADS login • NT4 login • NetMan login • PICA login

• ODBC interface to an ODBC-compatible database • SISIS

Authentication Settings

Open the Authentication dialog page in the HAN Settings (Programs/ HAN/HAN Settings).

HAN distinguishes between implicit and explicit login. With implicit login, the user does not have to enter any data; for explicit login, the user enters a user name and a password for authentication. Implicit login is based on client IP address or host name and is independent of user identity.

There are two types of explicit login: • HTTP login dialog

• HTML form

The HTTP login method uses the following dia- log:

You can edit the title of this dialog in the Title bar text for the login box field on the Authentication dialog page.

The actual appearance of the login dialog depends on the browser in which it opens.

The other option is to have an HTML form open:

This login page can be edited and, if desired, adapted (for example, to match your intranet pages). Make sure that the following HTML text is integrated in the form page unaltered:

<form action=”/hhauth/login” method=”POST”>

Name:&nbsp;<input type=”text” name=”User” maxlength=”30”> Password:&nbsp;<input type=”Password” name=”Password” maxlength=”30” >

<input type=”submit” value=”Login” style=”width:96px”> </form>

If you call the login page over HTTPS, data is encrypted before it is sent to the HAN server. To do this, enter the URL as follows: https://<HAN server>/login/login.htm. Replace <HAN server> with the name or IP address of your HAN server.

Contact your network administrator for information on integrating a server certificate in Windows 2003 Server. Alternatively, you can use OpenSSL to create a certificate.

Furthermore, SSL modules must be linked in the Apache web server. The \ apache2\hh\han\SSL directory contains brief instructions on integrating SSL modules.

Setting Up an Authentication Service

The following example shows how to set up an authentication service; in this case, IP authentication.

On the Authentication dialog page, click on the New icon.

This opens the Create Authentication Service dialog for defining the prop- erties of the new authentication service.

In the Authentication service field, enter a name for the new authentication service (such as “IP Authentication”). The Designation (in this example, “IP”) is required for internal processing.

Click on the “browse” button next to the Module field to open the “Se- lect File” dialog, which lists the available authentication services.

Each authentication service has its own set of parameters. When you click on

Load, the parameters for the selected service are shown in the “Parameters”

section.

For the IP authentication ser- vice the parameter is “CfgFile.”

Select Edit to assign a value to the selected parameter. In this case, the value is the complete path to a configuration file that defines the permitted IP address(es).

To enable this option, the user’s browser must be set to accept cookies from the HAN server.

HAN can check the validity of a login. To activate this feature, select the Use persistent cookies for login option. When this option is active, you can set the period (in hours) of validity for a login.

If the “persistent cookies” option is not active, the login is no longer valid once the user has closed the browser.

Click to put a checkmark in the box next to Active to activate the authentica- tion service and click on OK to save your settings.

To use an IP authentication service, you need to define access privileges on the “IP Ranges/Host Names” page.

You can specify various ranges of IP addresses and/or host names to define which clients are permitted to access HAN resources and which are explicitly denied access. You also have the option of defining a single user ID for a collection of IP address for purposes of statistical analysis. For example, you could create an IP authentication service for users whose IP addresses are located within the library, and enter “Library” as the user ID. As a result, the statistics database collects usage data acquired from all users authenticated by this service and attributes it to a user called “Library.”

To check computer host names, the Apache web server has to reverse resolve IP addresses. This functionality must be explic- itly activated in the Apache configuration file (httpd.conf):

HostNameLookups=On

The change is not active until you restart the Apache service. Important: If your Apache server cannot reverse resolve IP ad- dresses, it could take a very long time to open a HAN account. To test your system’s name resolution performance, run nslookup and enter the client IP address. The nslookup program should re- turn the client’s host name.

If this works, you can activate name resolution in the Apache serv- er. If the host name is not returned, do not activate name resolution in the Apache server.

If more than one authentication service has been defined, they are processed in order until one service has successfully completed the login, after which subsequent services are ignored.

You can use the Up and Down buttons to change the order of authentication services. If an IP authentication service is defined, this is the first service ap- plied, because IP authentication does not require user input.