Access

Chuck Bearden cbearden at sparc.hpl.lib.tx.us
Tue Jul 15 14:12:16 EDT 1997


On Tue, 15 Jul 1997, Lissa Lord <llord at blue.weeg.uiowa.edu> wrote:

> The University of Iowa Libraries are assessing several major information
> products available via the Internet. 
> 
> My question to web4lib:
> 
> Is it possible for university staff and students to access these services
> when not at a campus computer with university IP address?

First of all, I wonder if your license of the product includes the right 
to make it accessible to your users from sites outside your network.  
Could it be that your vendor doesn't permit this, even if it is 
technically feasible to authenticate remote users?  

There are a couple of ways this kind of thing can be made to work.  They 
aren't necessarily easy.  

If the service is web-based, one could write a CGI script that prompts the
user for user ID and password, and queries a database of valid users for
that user.  If the user is authenticated, the CGI passes a token of that
authentication to another CGI that handles the login at the vendor's side. 
In the absence of the token, the 2nd CGI won't go, preventing users from
invoking it directly, without validation.  This assumes that the vendor
(like OCLC with FirstSearch) supports a validation scheme other than IP. 
Our vendor, CARL, is writing such a script for us to hook into the
FirstSearch CGI. 

In the case of an IP only validation scheme, I suspect that you could set
up a proxy server in your network with a valid IP address, and have remote
users make their telnet or www connections and requests through it.  I
believe you could require authentication at your proxy to prevent remote
users who aren't among your clientele from abusing the product.  The
problem here is how to make use of existing records of valid users
(university registrations, library records, accounts on other machines). 
Developing a program or script to validate a user against such a database
(probably on another machine) is probably not a trivial task, unless the
database already offers such a service (e.g. library systems that permit
users to query their own library records: one could use the same resources
as hooks for validating use of the proxy).  Don't ask me how to write such
a program--maybe one day.  Things like NIS on Sun or Linux, or NT domains
could probably let you share account information for large groups of
computer users in your institution, should you wish to base your
validation on that kind of information.  You could also ask that those
wishing to use the product remotely apply for an account on the proxy. 

Hope these ideas help.

Chuck
-------------------------------------------------------------
Chuck Bearden			email: cbearden at hpl.lib.tx.us
Network Services Librarian
Automation Department		voice: 713/247-2264
Houston Public Library		fax:   713/247-1182
500 McKinney Ave.
Houston, TX  77002		
-------------------------------------------------------------
      -=>HPL's Homepage: http://sparc.hpl.lib.tx.us<=-



More information about the Web4lib mailing list