[WEB4LIB] Off-site access to IP restricted resources

sean dreilinger sean at durak.org
Tue Mar 23 06:19:43 EST 1999 

Stacy Pober wrote:
> I've looked at  the Pass-Through Proxying article on the Scholarly
> http://www.stg.brown.edu/pub/proxydoc/Proxy.tr98.1.shtml

that's a great article, thanks for the link...
 
> but it discusses using Kerberos for authentication, and that seems like
> it's designed for full network access and may simply be overkill in
> our situation.  I think a much less complicated program can probably
> handle the login-via-barcode part of the system, since network
> security is not an issue.

re-reading your situation, and having a look at your campus computing
center web page - it seems the main decision *is* how to design and
implement the user authentication. http://www.manhattan.edu/compcent/
doesn't say anything about existing campus-wide user authentication :-(. 

if your library sets up an authentication mechanism that would be useful
to every campus-affiliated computer user (via user-unfriendly barcodes
or other unique identifiers) you are effectively laying the foundation
for campus-wide authentication, if the computer center and other key
stakeholders will buy into it :-).
 
> And I don't know if we have the technical expertise available to us
> to implement that setup locally in any case.

if approached as a campus-wide initiative to extend the reach of
computing and library services there may be budget to outsource the
design and setup - although that goes above and beyond your immediate
goal of letting the right folks query their databases in peace.
 
> The other choice would be a normal proxy server with a login module
> to allow for user authentication.  But there can be some bumps along

afaik that is *the* choice, worded differently. you need to authenticate
your users before you give them access to the proxy server, or else your
free-for-all proxy server becomes a robin hood database portal (or a
database license violator, depending on point-of-view).

> that road, as well.  In the article cited above, the  author notes:
> >It turns out that some proxy servers can be outfitted with specially secured
> >authentication packages, but in fact doing this requires special client software
> >and/or plug-ins to work. This is a problem, because it creates a need for a lot of

shouldn't be necessary, except perhaps for kerberos. i felt the article
(which is excellent) was overly harsh on the idea of the library or
campus becoming its own CA (certificate authority) and issuing client
certificates for users to access <<YOUR DATABASE or COMPUTING RESOURCE
HERE>> over ssl with `security' and `privacy' from off-campus.

even if you don't use the client certificates, an ssl web server can
provide  a `secure' interface to exchange user authentication info
(username/password) with a campus-wide user directory, perhaps LDAP or
for your campus the LDAP interface to the Netware Directory Services.

> I really don't want to re-invent the wheel.  And frankly, since I'm the one

my $.03 is to view it as a somewhat wider issue of all-campus access to
computing resources, see if the computing center will cooperate on
setting something up that spares you (and them) future reinvention or
juggling of user data. but that may be biting off more than you want to
chew - very curious to know how you resolve it...

> If you have a solution that you're happy with and willing to share, please
> send it along.

for apache-supported authentication and security modules (all
server-side) browse here: http://modules.apache.org/search  (run an
empty search to pull up the full list of apache modules, those with
`auth' in the name are typically authentication modules that interface
with a *wide* variety of conventional and unconventional authentication
mechanisms).

a good starting point (with exceptionally well-written documentation)
for setting up and operating your own secure web server and CA can be
accessed here:   http://www.engelschall.com/sw/mod_ssl/

those links lead to `free' software which should be compatible with the
current manhattan.edu web server (apache 1.3.0 on aix), with luck the
person who set that server up for the university will have time and
desire to help with your project.

> Information Alchemist         http://www.manhattan.edu/library/

you have a killer job title and an inspiring photo on your library
homepage!

good luck & please share what you end up doing...
--
                          sean dreilinger, mlis
                          mailto:sean at durak.org
                          http://durak.org/sean

More information about the Web4lib mailing list