Controlling Access with NetWare Web Access Controls

What Is Access Control?

Access control lets you determine who can access the server. There are two options for controlling access:

• User-Group: Requires users to enter a username and password before accessing the server. Or the server can use client authentication by checking an LDAP directory for a security certificate before giving access to a file or set of files on your Web site.
• Host-IP: Requires the user to view your Web site from a specific computer, where the server recognizes the computer by either its hostname or its IP address.

User-Group Authentication

You can require users to authenticate themselves before getting access to your Web site. Authentication means that users verify their identity either by entering a username and password or by using a client certificate installed in their Web browser. The first method of requiring the username and password is the traditional method, which can be done with or without encryption. The second method of using client certificates is the SSL method, which must be done with encryption on. Refer to the Novell Documentation Web site for more information on encryption.

Username and Password Authentication

If you require users to enter a username and password to get access to your Web site, you store the list of users and groups in an LDAP database, which can be either a file stored on the Web server computer or an LDAP server on a remote computer, for example, Novell Directory Services (NDS) using LDAP or by using NDS directly.

When users attempt to access a file or directory that has User-Group authentication, the Web browser displays a dialog box asking the user to enter a username and password. The server can get this information encrypted or not, depending on whether encryption is turned on for your server.

After entering the username and password, users either see the requested file or directory listing, or a message denying them access. This following figure shows the authentication window.

Figure 9
Authentication Window

IMPORTANT:  If your server doesn't use SSL encryption, the username and password that the end user types are sent unencrypted across the network. Someone could intercept the network packets and read the username and password being sent to the Web server. For this reason, User-Group authentication is most effective when combined with SSL encryption, or Host-IP authentication, or both.

Client Certificate Authentication

You can confirm users' identities with security certificates before giving the users access to your Web site. You can do this in the following two ways:

• The server can use the information in the certificate as proof of identity.
• The server can verify the certificate itself, provided the certificates are published in an LDAP directory.

When a request comes in and you have client authentication on, the server performs these actions in the following order:

• When the browser sends the certificate, the server checks if the certificate is from a trusted certificate authority (CA). If not, the server ends the transaction.
• If the certificate is from a trusted CA, the server maps the certificate to a user's entry using the CERTMAP.CONF file.
• If the certificate maps correctly, then the Web server follows the ACL rule, or command, specified for that user. The rule can deny or allow the request.

Host-IP Authentication

You can limit access to files and directories on your Web site by making them available only to people using specific computers. You specify hostnames or IP addresses for the computers that you want to allow or deny. You can use wildcard patterns to specify multiple computers or entire networks. If you want to use Host-IP authentication, you must have DNS running in your network and your computer must be configured to use it.

Users can access the files and directories immediately without entering a username or password. If the computer doesn't have access, the user will get a message denying access. You can also customize this message.

HINT:  It is possible for more than one person to have access to a computer. For this reason, Host-IP authentication is most effective when combined with User-Group authentication. If both methods of authentication are used, the end user will have to enter a username and password before getting access.

Access Control Files

When you use access control on your Web server, the settings are stored in a file with the extension .ACL. Access control files are stored in the directory server_root/server_typeACL, where server-type is the name of the server.

The main ACL filename is GENERATED-HTTPS-server-id.ACL. The temporary working file is called GENWORK-HTTPS-server-id.ACL. If you use the Server Manager forms to restrict access, you'll have these two files. However, if you want more complex restrictions, you can create multiple files and reference them from the MAGNUS.CONF file. There are also a few features available only by editing the files. For example, you can restrict access to the server depending on the time of day or day of the week.

You also manually create and edit .ACL files if you want to customize access control. For example, you might want to use an Oracle* or Informix* database of users instead of an LDAP database. To do this type of customizing, you need to use the access control API to program a hook into the server's access control structure. This API is written in C. For more information on the API, see the Netscape DevEdge Online site.