Distauth: Authentication and Authorization

In this section

• Introduction
• Authentication
• Form-based Documentation
• Authenication Process
• Security Evaluation
• AFS
• Classlists

Authentication

In security terminology, authentication concerns verifying who you are. A popular type of authentication is to restrict access to a Web site based on IP address of the browser. Commonly, IP addresses associated with UC Davis are given access to a site, and other IP addresses are rejected. This is a feature that most Web servers support. Unfortuneately, using this form of authentication may exclude users who are logging in to your Web site via a commercial internet service provider. (The IP address of the commercial ISP will not be recognized as part of the ucdavis.edu domain). Distauth allows access to your site based on the user's UCDLoginID and Kerberos password.

Using the Netscape NSAPI or the PERL cgi, Distauth can be configured to perform according to the following senarios:

• All users are required to authenticate using their UCDLoginID and Kerberos password.
• If your browser is in the ucdavis.edu domain, authentication is not required. If your browser is outside of the ucdavis.edu domain, users are required to authenticate.
• Some IP addresses are allowed without authentication, other IP addresses are automatically denied access to your site, and the rest of the users are required to authenticate.

The features controlling these behaviors are:

• Netscape NSAPI: allow, deny
• PERL: allow_ucd_ip, allowed_nets
• IS ISAPI: All users are required to authenticate

In all cases, the default mode is to use user-based authentication, where Distauth can be used to verify that a user truly has an account at UCD.

Authorization

Authorization is an additional level of security. In addition to a user having a valid UCD LoginID and Kerberos password, the UCDLoginID of the user must also reside in a designated authorization file. The PERL cgi or Netscape API allow you to maintain or access authorization files. One or more files may be listed; the files are OR'd, meaning any UCDLoginID found in any specified file will be allowed access to your site. (The file format is one UCDLoginID per line).

The features controlling these behaviors are:

• Netscape NSAPI: user-list
• PERL: user_list,
• IS ISAPI: User lists cannot be specified.