Locking down an intranet site

Permalink 1 user found helpful
I am tempted to use C5 as an Intranet site for a client we have they would like to have the site used by around 500+ clients worldwide.

Now I am getting pretty good working on permissions and various blocks/packages but I am not to sure how the best way to lock down a site to prevent unauthorised users from accessing the site.

They are not to keen on having to sign-in to access the site but I have a couple of thoughts for this

1- Login Groups - assign each location a user account, at this stage I could probably do with multiple groups in a tree structure, ie Users(country1=>(user1,user2..),country2=>(user1,user2..) (Could this be done with c5? Or would I create two groups then assign all to the clients, and then specific locations to a country-group).
The remember me function when logging in does this store a cookie? if so how long is the expire set to, as I could get them to log in, once at each location=>machine

2- Set access based on IP, I have seen the IP Blacklist but is it possible to use this as a white list? to only allow certain ip's to access the site?

3- A gateway that sets a cookie, I would rather not use this way but I assume its possible to create a block on page view sets a cookie which in turn allows access to the site without having to log in.



I would be interested to hear your ideas on how this could be implemented.

At this stage we are still in talks about the Intranet and what platform to use, we are using concrete to develop a micro site for them which will contain 1000+ pages so it would be good if we could tie the overall site and administration areas together for both the micro-site and Intranet.

TheRealSean
View Replies:
LucasAnderson replied on at Permalink Reply
LucasAnderson
Just use .htaccess to whitelist your IPs. Problem solved?

http://sitefrost.com/showthread.php?tid=233...
jbx replied on at Permalink Reply
jbx
I'm currently doing the same thing and asking very similar questions. The solution I have currently is to authenticate with the Active Directory server. So the user enters their Windows user and pass and C5 checks with AD via LDAP and logs them on. This works great, but it does involve a login. I'm thinking of also extending the cookie time to something like a week, so that users don't have to login too often. I can't use the IP white list unfortunately, as staff need to be able to log in from anywhere.
If anyone knows how I could get C5 to automatically login using their windows credentials, that would be fantastic. I know there is a module for Apache, but that wouldn't log them into the site...

Jon
TheRealSean replied on at Permalink Reply
TheRealSean
Thank you for your comments,

We have looked at using the htaccess for the IP whitelist our client is quite keen on being able to content manage the site and access.

Also at this stage I can not guarantee that all the IP's will be fixed, as some of the smaller locations may possibly be dynamic.

It's unclear at this stage, the windows login options could be a good solution, but I would not know where to begin with that one.
jbx replied on at Permalink Reply
jbx
Well, I could help you with setting it so that the user is authenticated against your Active Directory server. As it turned out, it really wasn't too difficult. I'm going to try and package up the files properly, so it has a easy to use dashboard interface too.

The users will have to enter their username and password, however, I personally don't think that is such a bad thing and you can always set a longer cookie time.

Jon
chunksmurray replied on at Permalink Reply
chunksmurray
This would be an awesome addition i think. I would be very interested in seeing how you got this working!
keithdmoore replied on at Permalink Reply
keithdmoore
Can you please share how you did this? I am very interested.

Also, this module looks promising:

http://www.concrete5.org/community/forums/customizing_c5/packaged-l...
brownfieldc replied on at Permalink Reply
Did you ever get anything packaged up for LDAP integration?
frz replied on at Permalink Reply
frz
we're hoping someone will step up to help with the generalization of authentication:
http://www.concrete5.org/about/blog/core-roadmap/authentication-fra...

THat'd be awesome. I'm afraid of selling something for LDAP in the marketplace as it's such a custom problem.