Remote User Authentication in Libraries

Remote User Authentication in Libraries
Database Vendor Authentication Info
University Authentication Projects
Products and Services
Proxy Servers and Authentication
Microsoft Internet Information Server and Authentication
Apache and Authentication
Perl, CGI and Authentication
SSL and Cookies
LDAP and Kerberos
Linux/Unix and Authentication
User Authentication on the Web

Remote User Authentication in Libraries

"Libproxy is a simple rewriting pass-through proxy system designed especially for libraries." Written by Richard L. Goerwitz III.  Also inlcudes an overview of other available remote authentication methods.

Vital Connections: Remote Users and Licensed Resources
Powerpoint slides from a presentation by Leslie Diaz and Steve Hunt at the California Library Association Annual Conference, Nov 5, 2001, Long Beach, Calif. 

Presentations by Linda Winters, Leslie Diaz and Steve Hunt at a CCL/CLA-Academic Section sponsored workshop, held Friday, March 9, 2001 at Santa Ana College;  Friday, March 16 at Laney College.

Are You Who You Say You Are?
Network Access Management in California Community College Libraries. Prepared for the Glendale Community College Library by Nancy Hunt-Coffey. Also available in PDF

APLA - remote access
Authenticating off-campus users to provide access to licensed databases. APLA conference session - June 2, 2001, Charlottetown, Prince Edward Island.

eLib Authentication Concertation Day
Presentations from a concertation day looking at issues surrounding authentication. The eLib Authentication Concertation day took place at SOAS in London on 10th March, 1999. The Electronic Libraries Programme (eLib) is funded by the Joint Information Systems Committee (JISC)

Authenticated Off-Net Access to Commercial Library Resources
By Mark Sheehan and Allen Porter. This article was published in CAUSE/EFFECT journal, Volume 22 Number 2 1999.

Management of Access to Networked Information Resources (User Authentication)
Proposal by Council of Australian University Libraries and Council of Australian University Libraries. The aim of the proposal is to provide a common means of authentication and authorisation to provide researchers with single signon access to a range of networked information resources, independent of the researcher's location and means of access to the network.

Proxy Web Servers in Libraries
Slides from presentations at LITA Regional Institutes, results from a survey of web proxy servers in libraries, and a solutions page, all by Peter Murray, Computer Services Librarian, University of Connecticut School of Law.

Referral URLs for Patron Access to Premium Databases
Discussion of use of scripts for login and use of referral URLs as well as information of the approaches favored by several database vendors.

Using Proxy Servers - Presentation to Spring 1999 CNI Meeting
Using Proxy Servers to Provide Authenticated Access to Web Resources. By Jonathan Esterhazy, University of Manitoba Libraries.  See also his proxy-paper.pdf

CGI Scripts for Access to Commercial Web Servers
Remote access authorization for commercial databases requiring IP validation and username/password validation -- Lynx URL rewriter in use at Texas Christian University, by Kerry Bouchard.

Authorization/Authentication for Patron Remote Access to Electronic Resources
Powerpoint presentation and links to code and examples. Presented at DRA Users' Conference, March 2000, by Kerry Bouchard.

Providing Access to Licensed Databases for Remote Library Users
How Dan Lester does things right at Boise State University.

Implementing a National Access Management System for Electronic Services
Article from D-Lib Magazine,  March 1998 by Norman Wiseman, University of Nottingham.

The Complexity of Accessing Electronic Licensed Resources Using the WWW
Prepared by Linda Suk-Ling Murphy, Health Sciences & Electronic Resources Librarian, University of California-Irvine, Medical Center Library.

WebRelay: A Multithreaded HTTP Relay Server
A relay server that can ensure session control for the basically stateless HTTP protocol and establish connections with a designated remote database web server on behalf of library patrons, with authentication. Code available on request from the author, Peter Zhang of the University of Calgary.

PRIDE project fact sheet
People & Resources Identification for Distributed Environments (PRIDE) will develop a broker service to support the identification and delivery of information services over the Global Information Infrastructure (GII). The resulting PRIDE directory service support authorisation, registration and cost recovery, plus integration with other interfaces to library services which are essential in networked service scenarios.  A project of the Telematics for Libraries Programme of the European Commission.

Authentication Issues for the Library Information Environment: Background and Technologies
A Powerpoint presentation, Vanderbilt University, July, 1998.

User Authentication and Authorization on the Web
Presentation from a Canadian Library Association Preconference workshop, June 1998

CWRUnet Web Proxy Services Overview
Case Western Reserve University Library presentation at the Innovative User's Group; 2-5 May 1998, by Peter Murray, Library Systems Manager.  Includes Perl scripts.

Access Ď98 Authentication & Security
Slides from a presentation at Access '98, Oct. 2-4, 1998, Saskatoon, Saskatchewan, by George Machovec, Technical Director, Colorado Association of Research Libraries.  Also available as a PPT file.

FirstSearch in Your Nighty
Discussion of authentication tools from the Internet Librarian column in American Libraries, by Karen G. Schneider.

VEL Security/Authentication Issues
Security/Authentication Issues in the CIC Virtual Electronic Library.  Outlines the major network security and authentication issues related to the CIC Virtual Electronic Library. CIC is the is the academic consortium of the Big Ten universities and the University of Chicago.

User Authentication and Authorization in a Networked Library Environment
By George Machovec, Technical Coordinator, Colorado Alliance of Research Libraries, November 1997.

TOLIMAC research project
The aim of the TOLIMAC project was to develop a smartcard-based system for controlling access and managing payment of electronic information products and networked services in a library environment. Final Report of the TOLIMAC project (Total Library Management Concept) which was funded under the Fourth Framework programme Telematics for Libraries of the Commission of the European Communities DGXIII. The project started on 16 October 1996 and ended on 15 June 1999.

CANDLE Controlled Access to Network Digital Libraries in Europe
"The CANDLE Project will develop an access management system for electronic journals to be used in libraries.  Features of the system will be: 1. Role based access control  2. Single sign on  3. Subscription management  4. Detailed usage statistics"

Report on Research into Strategies for Implementation of Seamless Access for Saskatchewan Public Libraries
Prepared by Darlene Fichter, Northern Lights Internet Solutions Ltd. January 21, 1999.
A Collection of Resources on Authentication
By Tom Klinger at Kent State University.

Internet Resources: Authentication
Catalogue of internet resources on authentication from BUBL Link

Authentication & Authorization: a guide
Includes a resource directory, links to twelve key studies, information on projects and initiatives and archived discussions of the authentication mailing list.  The site is maintained by Andrew Cox, researcher on the JTAP funded (627) Candle - Athens Integration Project.

Digital Library Authentication and Authorization Architecture
"Under DLF auspices, the California Digital Library, Columbia University, JSTOR, and OCLC have developed a protocol that enables an information resource provider to verify that a user bearing a digital certificate has authority from a home institution to use a requested resource. The prototype system developed combines the use of X.509 digital certificates for authentication with a directory service providing authorization to  licensed resources based on user attributes."  See also  this.

Authentication: Progress in the UK
"A sound authentication system is recognised to be a fundamental requirement of a distributed electronic resource, and development of a suitable system is a high priority in the UK. This paper describes the JISCís activities in the authentication field"

Authentication: Progress in the US
"The growth in online services is increasing the demand for authentication systems to manage access and improve security for network users and network service providers. The paper provides an overview of issues which are currently arising in the United States in the area of authentication."

Security, Authentication, and Authorization: Bibliography
Bibliography with links, compiled by Keith Powell and Wayne Jones, from a presentation at the American Library Association, Annual Conference, New Orleans, LA, June 27, 1999.

Remote Access & Authentication
Slides from a presentation by Wally Grotophorst, George Mason University, Dec. 9, 1997.

Implementing policies for access management
By William Yeo Arms, Corporation for National Research Initiatives, Reston, Virginia.  An article from D-Lib Magazine, February 1998.

Pass-Through Proxying as a Solution to the Off-Site Web-Access Problem
This report outlines a simple solution to the universal academic problem of off-campus access to on-campus (IP restricted) Web-based  resources. This solution costs little; requires no special client software; works with a variety of authentication methods; allows fine-grained control over what services can be accessed; and offers both reasonable security and speed. By Richard Goerwitz, Brown University Scholarly Technology Group, Providence, Rhode Island.  Earlier versions of this paper can be found here and here.

Safeguarding Digital Library Contents and Users Assuring Convenient Security and Data Quality
By H. M. Gladney and J. B. Lotspiech, IBM Almaden Research Center, San Jose, California.  An article from D-Lib Magazine, May 1999.

User Authentication at Public Internet Terminals: Who Is Doing It?
A non-scientific email survey performed by Eric Schnell ( Last Updated: Friday September 04 1998.

Got Milk? Got Cookies? Got Authentication? Two presentations discussing the use of cookies and tokens for authentication.

Access Management of Web-based Services An Incremental Approach to Cross-organizational Authentication and Authorization
By Ariel Glenn and David Millman, Columbia University, New York, New York.  An article from D-Lib Magazine, Sept. 1998.

Remote Authentication and Authorization for JSTOR
By Ira H. Fuchs, Chief Scientist, JSTOR, Vice President for Computing and Information Technology, Princeton University, September 3, 1998. See also JSTOR Remote Authentication

Libweb Library WWW Servers
Libweb currently lists over 5500 pages from libraries in over 100 countries. Maintained by Thomas Dowling.
Useful for seeing how other libraries have presented remote access authentication and resources to their users.

LibDex - the Library Index
Libdex is a worldwide directory of  library homepages,  web-based OPACs,  Friends of the Library pages, and  library e-commerce affiliate links. Currently includes over 16,000 libraries. Edited and compiled by Peter Scott.
Useful for seeing how other libraries have presented remote access authentication and resources to their users.

Google Search: library "off campus" database OR databases
Google Search: library proxy
A more efficient way to see what other libraries are saying to their users about remote access.

Database Vendor Authentication Info

ProQuest Secured Access
Information on authentication for Proquest databases.

Grolier Online Access and Authentication Policies
Information on authentication for Grolier databases.

LexisNexis Academic Universe RPA
Getting Started with Remote Patron Authentication

University Authentication Projects

UCLA Authentication Project
Information on a UCLA project to authenticate users for access to network resources

Authentication projects at University of California, Columbia University, University of Colorado, Boulder.

UCCAP - Overview
The aim of the University of California Common Authentication Project (UCCAP) is to produce a UC Common Authentication System (UCCAS)

Towards a UW Authentication & Authorization Infrastructure
Slides from a presentation at the University of Washington, May 26, 1999.

Authentication in UK Higher Education Conference November 2nd 1999
Powerpoint presentations and links from the Conference held at the Policy Studies Institute, London.

Requirements for Authentication, Authorisation and Privacy in Higher Education
Findings from the first stage of the Study into the Requirements for Authentication, Authorisation and Privacy in Higher Education, by  John Leach.

Leeds University User Registration & Certificate Issuing System
JTAP-595. Leeds University Computing Service and Leeds University Teaching & Learning Support Unit.

Proposal: Authentication Services
Proposal for Implementation at the University of Connecticut  Computer Information Systems, University Computer Center, November 1997.  See especially Appendix: University Library Authentication Requirements

ATG@ITC - University of Virginia Authorizing Proxy Server
Protected access to licensed resources for authorized users, on-campus and off-   A project at the University of Virginia using Squid, MySQL and Perl for authentication access to resources.

User Authentication
A Model for an Enterprise-wide User Authentication Service. January 18, 1998, April 8, 1998.  By Michael Grobe, Academic Computing Services, The University of Kansas. This document discusses several aspects of user authentication for access to various networked services at the University of Kansas.

Web Validation Project
Purpose: to define different levels of information and associated access rights that will allow for an organized growth of Intranet and Internet content at Embry-Riddle and standardize on a limited set of authentication mechanisms to reduce administrative overhead and improve usability of the web site.

UW Id-Auth-EComm Project
University of Waterloo project for identification and authentication.  See Web/ID-AUTH: Project Goals for a library-related component of this project.

Trial CIC Authentication and Authorization Project (TRICAAP)
"TRICAAP will be used to demonstrate an architecture which provides for security of content across multiple environments and enables secure inter-institutional interaction without dictating a specific technology implementation."

User authentication on ColumbiaWeb
Documentation for Columbia University authentication applications CHEESE, a script-based form of authentication, and CheeseWhiz, which relies on the regular HTTP protocol.

BMRC Authentication Project
Project at UC Berkeley to investigate secure authentication of university community members for access to web based services.

Papers on Authentication and Web security
Reports prepared for the UK Joint Information Systems Committee (JISC) on technologies to support authentication in higher education.  Including  Technologies to Support Authentication in Higher EducationImplementation of JANET authentication and encryption services and Web Security Report.

Products and Services

"EZproxy provides the easiest way for libraries to extend web-based licensed databases to their remote users."

Obvia Remote Database Access Service
"The Complete Solution for all your Remote Authentication Needs"  A turnkey product for remote access authentication.

Remote Patron Authentication
An integrated remote patron authentication solution from EpixTech (formerly Ameritech) for customers of their Horizon, Dynix, NOTIS LMS, and KeyNOTIS systems.

Athens - Access Management Service
"ATHENS is an authentication system which allows control of access to online resources. ATHENS has been available since early summer 1995 and is currently in use at over 2000 sites in the UK."

Clarity Proxy Authentication
Clarity is a web proxy based on Squid.

IIS Authentication with AuthentiX
"Form-based or 100% cookie-free 'Basic Authentication' website protection while keeping your NT users names and passwords private. Protect all files, not just ASP pages. Validate against internal database, text file or external ODBC datasource."

Proxy Servers and Authentication

Proxy Servers and You
Proxy servers work as a helpful "middleman" or broker between you and your Internet connection. Although a few people feel that proxy servers detract from the wide-open nature of the Web -- and proxies do have their issues -- this type of Web server provides some very useful networking functions.

Welcome to the WEB Proxy Server Information Page
What web proxy servers are and how they work.  The different types of proxies, and what they accomplish.  What proxies do and how do they do it.

Proxy Servers
Proxy Server Overview. Although proxy servers have been around for a long time (since the early days of the WAN), the Internet has transformed them. Where they were once an esoteric server found in only the largest corporations, they are now to a critical component of all but the smallest organizations with an Internet connection (and these days some can even be found in private homes).

Proxy Client Autoconfig File Format
Describes the format for Proxy Auto-Config (PAC)  files.

Google Search: library proxy.pac
Want to see other libraries' proxy.pac files?  Enter the proxy.pac URL then open the file in Wordpad for best results.  This works in IE 5.5; Netscape 4.7 sends an error message about an unrequested proxy configuration file.

Proxy.pac Perl script
A script written by Niall Doherty that dynamically creates a proxy.pac file based on user IP address.   From the Squid users mailing list.

Web Proxy Auto-Discovery Protocol
IETF draft document describing the Web Proxy Auto-Discovery Protocol (WPAD) which  permits web clients to locate nearby web proxy servers. Note: this draft expired 12/99 - for informational purposes only.

Auto-Proxy Functions Supported by Internet Explorer
Q209266  from Microsoft Knowledge Base.  Includes PAC code examples.  Covers IE 4 through 5.5.

Configuring Cisco Authentication Proxy
Describes the Cisco IOS Firewall Authentication Proxy feature. Authentication proxy provides dynamic, per-user authentication and authorization, authenticating users against industry standard TACACS+ and RADIUS authentication protocols. Authenticating and authorizing connections by user provides more robust protection against network attacks. From the Cisco IOS Security Configuration Guide, Release 12.1

Netscape Proxy Server Administrator's Guide Version 3.5 for Unix
Netscape Proxy Server Administrator's Guide for Windows NT
"Netscape Proxy Server is a high-performance server software product. It is designed for replicating and filtering access to web-based content."  Includes sections on authentication.

DeleGate Home Page
DeleGate is a multi-purpose application level gateway, or a proxy server which runs on multiple platforms (Unix, Windows and OS/2). DeleGate mediates communication of various protocols (HTTP, FTP, NNTP, POP, Telnet, etc.), applying cache and conversion for mediated data, controlling access from clients and routing toward servers.  Created by Yutaka Sato.

Proxy Servers and Caching

Brian D. Davison's Web Caching and Content Delivery Resources
This site is dedicated to providing a comprehensive guide to the resources about and in support of caching on the World Wide Web.
Includes an extensive list of proxy cache systems and services.

A Survey of Proxy Cache Evaluation Techniques
Proxy caches are increasingly used around the world to reduce bandwidth requirements and alleviate delays associated with the World-Wide Web. In order to compare proxy cache performances, objective measurements must be made. In this paper, we define a space of proxy evaluation methodologies based on source of workload used and form of algorithm implementation. We then survey recent publications and show their locations within this space. By Brian D. Davison, Department of Computer Science,  Rutgers, The State University of New Jersey.

Proxys 4 All
List of public proxy servers. Also includes proxy auto config information, auto-proxy checker scripts, environment checkers, and 'WebSpoof' an HTTP Referrer Spoofer.

Cache Now!
The Cache Now! campaign is designed to increase the awareness and use of proxy cache on the Web. Includes list of proxy resources.

High Performance Web Caching With Squid
This document explains in some detail how to achieve high end performance from the excellent (but slow by default) open source Squid web caching proxy. By Joe Cooper.

Proxy Internet Access With Squid
Using Proxy Servers To Restrict, Log, And Accelerate Internet Access  By Tim Orbaker, March 06, 2000.  BYTE Magazine.

Caching the Web with Linux
Improve your users' browsing and save your bandwidth by using proxy servers to cache web pages. By David Guerrero, January 1999.  Installing and using Squid, configuring browsers to use cache. Cache hierarchies.

Firewall and Proxy Server HOWTO
This document is designed to describe the basics of firewall systems and give you some detail on setting up both a filtering and proxy firewall on a Linux based system.  By Mark Grennan.

Transparent Proxy with Squid mini-HOWTO
This document provides information on how to setup a transparent caching HTTP proxy server using only Linux and Squid. By Daniel Kiracofe.

Squid Proxy Server

Squid Web Proxy Cache
"Squid is a full featured web proxy cache designed to run on Unix systems, free open-source software, the result of many contributions by unpaid volunteers and funded by the National Science Foundation.  Squid supports proxying and caching of HTTP, FTP, and other URLs, proxying for SSL, cache hierarchies, ICP, HTCP, CARP, cache digests, transparent caching, WCCP (Squid v2.3), extensive access controls, HTTP server acceleration, SNMP and caching of DNS lookups."

SQUID Frequently Asked Questions: Authentication
How does Proxy Authentication work in Squid? How do I use authentication in access controls? Does Squid cache authentication lookups? Are passwords stored in clear text or encrypted?

Squid - Introduction
Introduction to setting up a Squid server, with a section on authentication. From the ISPPlanet Cache Review Series.

Squid development projects
This SourceForge site hosts various Squid development projects. The purpose of this site is to boost and open up Squid development for features not yet ready to be merged into the main Squid distribution. Anyone interested in developing some feature in Squid are welcome to host their development here for sharing with other Squid developers.

Squid and Web utilities
Add-ons for the Squid proxy cache server.

Squid ACL Proxy Authentication with External Programs
This ACL Proxy Authentication with External Programs patch implements proxy authentication as a normal ACL and with external authentication programs which are allowed to block. It is a generalization of my earlier patches which were based on the original proxy_auth code provided by Jon Thackray <>.

Squid NTLM authentication project
The NTLM authentication project aims at providing Microsoft NTLM proxy authentication support for Squid.

SMB Proxy Authentication
smb_auth is a proxy authentication module. With smb_auth you can authenticate proxy users against an SMB server like Windows NT or Samba.

LDAP Authentication for Squid
"Arjan de Vet has done a great job devising a method to bind external authenticators into squid. Packaged with Arjan's patch comes a password file authenticator for NCSA password files. Based on this program I wrote my own little authenticator for LDAP. "

Squid ldap authentication module 0.2
The Squid LDAP authentication module allows a Squid proxy server to authenticate against an LDAP server and is a more flexible replacement for the LDAP authentication module supplied with Squid. By Guy Antony Halse on October 19th 2000, 19:44 EST

Squid CVS repository for latest versions of authentication modules.

User and Group LDAP Authentication for Squid
This patch patches the Squid proxy server to support static and dynamic LDAP group lookups when doing LDAP authentication.

Microsoft Proxy Server and Microsoft Internet Security and Acceleration Server

Microsoft Proxy Server
"Microsoft Proxy Server 2.0 is an extensible firewall and Web cache server that provides Internet security while improving network response time and efficiency."

Microsoft Internet Security and Acceleration Server
"Microsoft Internet Security and Acceleration (ISA) Server 2000, the successor to Proxy Server 2.0, is an extensible enterprise firewall and Web cache server that integrates with Windows 2000 for policy-based security, acceleration, and management of internetworking."  See also the MS TechNet ISA page and the docs for the Enterprise Edtion.

Authentication Options and Limitations Using Proxy Server 2.0
Describes the options and limitations for using authentication with Microsoft Proxy Server 2.0 and client Web browsers. (Article ID: Q198116)

Understanding Microsoft Proxy Server 2.0
Discussion of proxy server features and architecture, access control, encryption, and firewall strategies. By NeonSurge.

Coopers & Lybrand: Microsoft Proxy Server Security Evaluation
This case study presents the results of tests designed to evaluate Microsoft Proxy Server security. Interconnectivity security issues and the Microsoft Proxy Server features designed to address these issues are presented. April 1997.

Troubleshooting Microsoft Proxy Server
Explores some of the problems you may run into when working with Microsoft Proxy Server. Several troubleshooting topics are covered, including installation, configuration, error messages, security issues, and client access problems.

Microsoft Internet Information Server and Authentication

IIS: Authentication & Security Features
Authentication and security features of Microsoft Internet Information Server. (from the Microsoft Knowledge Base)

How IIS Authenticates Browser Clients
This article describes the different authentication methods available in IIS for both Windows NT 4.0 and Windows 2000. Article ID: Q264921.

IIS Authentication Methods
From Windows 2000 magazine, April 25, 2000, by Allen Jones.

How to Authenticate a User Against All Trusted Domains
By default, Internet Information Server (IIS) validates an unqualified user logon ID against either the local computer's user database or the domain which the server is a member of. This article describes how to configure IIS to validate the unqualified user logon against all trusted domains and the user accounts database. Article ID: Q168908.

Authentication methods in IIS5
Part of the excellent IIS-FAQ  site, which has many other articles on IIS authentication issues.

Authentication Methods in IIS
In IIS you can setup various authentication methods for entire sites or virtual directories. These authentication methods determine who can access the Web pages in the site/virtual directory. By Akhilesh.

Authentication and Security White Paper for Internet Developers
Windows NT security as it relates to Internet Information Server (from the Microsoft Knowledge Base)

Apache and Authentication

Web Authentication/Security
A brief survey of the authentication methods available with the Apache web server. An emphasis on the practical application of those methods, the addition of custom methods, some observations on the security model, and resulting risks. Presenter: Reg Quinton, University of Waterloo. Slides from a presentation at Access 99: The Web: Portal to Information,  Monday, October 25 - Wednesday, 27 - Guelph, Ontario.

HTAccess Authentication Tutorial
Covers web-based user authentication using htaccess, a feature supported by Apache and other web server software.

Using User Authentication
Article on htaccess using Apache from Apache Week

DBM User Authentication
Article on htaccess using DBM under Apache from Apache Week.

Authentication & Authorization
A chapter from the O'Reilly book Writing Apache Modules with Perl and C, by Lincoln Stein and Doug MacEachern.

Apache Web Server -- Proxy Authentication Setup
Describes the steps required to set up the Apache web server to function as an authenticated proxy, with specific reference to the needs of the University of Waterloo Library.

Apache module mod_proxy
Documentation for the Apache proxy module from the Apache web site.

This module allows proxying of web sites without any configuration changes on the client's part. The client is simply pointed to a URL using this module and it fetches the resource and rewrites all links to continue using this proxy.

SourceForge: Project Info - The Mod_Perl Rewriting Proxy
"This is a lightweight proxy, written on Apache's Mod_Perl and designed for places where other proxies are unappliable or undesirable."

Apache::ProxyRewrite - mod_perl URL-rewriting proxy
"Apache::ProxyRewrite acts as a reverse-proxy that will rewrite URLs embedded in HTML documents per apache configuration directives.  This module was written to allow multiple backend services with discrete URLs to be presented as one service and to allow the proxy to do authentication on the client's behalf."

Apache External Authentication Module. Mod_Auth_External is a flexible tool for creating authentication systems based on other databases.

Perl, CGI and Authentication

Authentication-related Modules Available on CPAN
CPAN is the Comprehensive Perl Archive Network.  Many of these modules related to authentication are written to work with the Apache web server, and provide for support handling cookies, NT authentication and more.

A Short Guide to DBI
The Perl Database Interface Module.  About relational databases.  About SQL. What DBI is for. Examples and explanation of how to use DBI.  By Mark-Jason Dominus.

DBI - A Database Interface Module for perl5
"The DBI is a database interface module for Perl. It defines a set of methods, variables and conventions that provide a consistent database interface independent of the actual database being used.''

Matthew's Authentication Script Area
Scripts and instructions which depend on the CGI-modules-2.75 library and work on Linux 2.0, Apache 1.1, Berkeley DB and Perl 5.003, by Matthew Darwin at the University of Ottowa.

Database Logon Script
A Perl script that can be used to provide authentication to numerous vendor databases with one userid/database file, made available by its author,

POWER Library Scripts
A set of Perl scripts for authentication to databases using IP addresses or library user IDs, made available by Keith Ostertag, ATS Coordinator, Dauphin County Library System.

Authenticate and Track Users with PHP
An article from WebMonkey by Judy Meloni

How to spoof HTTP_REFERER
How hard is it to fake a referral URL or any other browser passed variable?  Here is an example showing how easy it is to do.

CGI Environment Variables
List of resources and tools on environment variables from the CGI Resource Index.

Overview of CGI Environment Settings
Web browser environment variables and how to access them, by Jon Hedley.

The World Wide Web Security FAQ
How to avoid security problems with CGI scripts and htaccess. How to protect confidential documents at your site.  Safe scripting in Perl.

CGI Resource Index
Information, documentation and tutorials regarding CGI programming. Hundreds of pre-made CGI's written in Perl and other languages.

Perl and CGI FAQ
"You can create a lot of magic by writing a CGI program/script. You can create graphics on the fly, access databases and return results and connect to other Internet information servers." - a Perl5 CGI Library
This Perl 5 library uses objects to create web fill-out forms on the fly and to parse their contents. It provides a simple interface for parsing and interpreting query strings passed to CGI scripts. However, it also offers a rich set of functions for creating fill-out forms.

SSL and Cookies

Introduction to SSL
This document introduces the Secure Sockets Layer (SSL) protocol. Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. See also this Netsacpe TechBrief on SSL.

OpenSSL: The Open Source toolkit for SSL/TLS
"The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library."

Overview by Dan Kegel.  See also his SSL Acceleration page.

Apache-SSL is a secure webserver, based on Apache and SSLeay/OpenSSL. Not to be confused with mod_ssl.

mod_ssl: The Apache Interface to OpenSSL
This module provides strong cryptography for the Apache 1.3 webserver via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols by the help of the Open Source SSL/TLS toolkit OpenSSL, which is based on SSLeay from Eric A. Young and Tim J. Hudson. Not to be confused with Apache-SSL.

SSL and Secure Servers
What SSL is and step-by-step instructions on how to create and sign your own SSL certificate.  Section from a course on Web Administration and Security, by Mark Burgess and Sigmund Straumsnes, Oslo College.

The Unofficial Cookie FAQ
Cookies are a very useful tool in maintaining state variables on the Web. Since HTTP is a "stateless" (non-persistent) protocol, it is impossible to differentiate between visits to a web site, unless the server can somehow "mark" a visitor. This is done by storing a piece of information in the visitor's browser. From Cookie Central.

How Internet Cookies Work
Article from Howstuffworks, by Marshall Brain.

The CGI Resource Index: Programs and Scripts: Perl: Cookies
Scripts to manipulate cookies in Perl.

RFC 2109: HTTP State Management Mechanism
This document specifies a way to create a stateful session with HTTP requests and responses. It describes two new headers, Cookie and Set-Cookie, which carry state information between participating origin servers and user agents

LDAP and Kerberos

Introduction to LDAP under Linux
From by Atif Ghaffar. 

An Introduction to LDAP
From the O'Reilly Network, by Luke A. Kanies.

Introduction to Lightweight Directory Access Protocol (LDAP)
Q196455 from Microsoft Product Support Services.

LDAP Introduction
By Lars Pind, May 8, 2000. 

An LDAP Roadmap & FAQ -- Directory Services Information
A tutorial aid to navigating various LDAP andX.500 Directory Services resources on the Internet.  By  Jeff Hodges.

From Yahoo.

Common LDAP RFCs
Q221606 from Microsoft Product Support Services.

LDAP Browser/Editor
Free LDAP Browser/Editor provides a user-friendly Windows Explorer-like interface to LDAP directories with tightly integrated browsing and editing capabilities.

Public LDAP Servers
A list maintainted by eMailman.

Information about installing, configuring, running and maintaining a LDAP (Lightweight Directory Access Protocol) Server on a Linux machine is presented on this document.

LDAP Implementation HOWTO
This document describes the technical aspects of storing application data in an ldap server. It focuses on theconfiguration of various applications to make them ldap-aware. By Roel van Meer and Giuseppe Lo Biondo

Linux LDAP Tutorial
Deploying OpenLDAP - Directory Installation and configuration (V1.2 and 2.0) 

Understanding LDAP
Microsoft document on LDAP, the directory service protocol used by the Active Directory service. 

OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol. 

Perl-LDAP Homepage
The perl-ldap distribution is a collection of perl modules which provide an object orientated interface to LDAP servers. 

LDAP Freeware Products
The Eudora LDAP Directory Server is an LDAP v2 server for Windows NT 4.0 (Workstation or Server) available in executable and source code form. 

Kerberos: The Network Authentication Protocol
Kerberos is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.

Basic Overview of Kerberos User Authentication Protocol in Windows 2000
Q217098 from Microsoft Product Support Services.

Information About the Windows 2000 Kerberos Implementation
Q248758 from Microsoft Product Support Services.

Answers to Frequently Asked Kerberos Questions
Q266080 from Microsoft Product Support Services.

Linux/Unix and Authentication

Linux-PAM Page
The Linux-PAM (Pluggable Authentication Modules for Linux) project provides a way to develop programs that are independent of authentication scheme. These programs need "authentication modules" to be attached to them at run-time in order to work.

PAM_SMB: NT Authentication for Unix
pam_smb allows authentication of Unix users against SMB servers (Windows NT and Samba servers, also Win 95).  It runs under Linux, Solaris, HP-UX and FreeBSD.  See also this.

PAM_NTdom: NT Domain Authentication for Linux and Solaris
Based on pam-smb, this module allows a Linux user to authenticate against an NT Server using the NT Domain Authentication Protocol.

User Authentication on the Web

HTTP Basic Access Authentication
HTTP 1.0 provides a simple challenge-response authentication mechanism which may be used by a server to challenge a client request and by a client to provide authentication information. From the IETF Internet Draft.

HTTP Authentication: Basic and Digest Access Authentication
RFC 2617 provides the specification for HTTP's authentication framework, the original Basic authentication scheme and a scheme based on cryptographic hashes, referred to as "Digest Access Authentication".  It is therefore also intended to serve as a replacement for RFC 2069.

A Guide to Web Authentication Alternatives
Jan Wolter discusses the two standard authentication systems which are described in the HTTP protocol documents: "basic authentication" which is supported by most browsers and HTTP servers, and "digest authentication" which isn't.  He then descibes various "do-it-yourself" alternatives to basic authentication.

Web Security Report
With sections on authentication and authorisation. By Andrew Cormack.

The CNI Program on Authentication Authorization and Access Management
which includes A White Paper on Authentication and Access Management, Clifford Lynch, editor, Coalition for Networked Information.

Open Authentication Systems For The Web
"The rapid growth in Internet services has led to a demand for scalable authentication systems to restrict access to licensed services (such as bibliographical services, databases, etc.) to authorised users. An increasing number of proprietary applications which provide authentication services are available. However such applications may only provide an interim solution, until authentication services based on open protocols are available. This article reviews developments to such open authentication protocols."

Authentication Tutorial
"This tutorial explains authentication: What it is, how you work with it, and what options are currently available to you."  A different version of this document here.

Common Authentication Technology (cat) Charter
The goal of the IETF Common Authentication Technology (CAT) Working Group is to provide distributed security services (which have included authentication, integrity, and confidentiality, and may broaden to include authorization) to a variety of protocol callers in a manner which insulates those callers from the specifics of underlying security mechanisms.

User Agent Authentication Form Elements
Discusses problems with existing methods of authentication and proposes a new HTML capability to aid in the development of authenticated web user interfaces. Submitted for consideration to the World Wide Web Consortium.

SRP: The Open-Source Password Authentication Standard
"The Secure Remote Password protocol is the core technology behind the Stanford SRP Authentication Project. The Project is an Open Source initiative that integrates secure password authentication into existing networked applications."

Handling Authentication
How the Microsoft Win32 internet API  handles http authentication.  Basic, Challenge-response and other types.  Proxy servers.

Regaining Single Sign-On
"In the mainframe era, computer users only had to remember one username and password as there was only one computer to access. With the advent of networks, people suddenly acquired many computing accounts each with a username and password to be remembered." by Andrew Findlay, Head of Networking and Systems, Brunel University, London. 21 April 1999.

last updated Nov. 6, 2001
compiled and maintained by Steve Hunt, Santa Monica College Library