Use LDAP directory for user authentication

Registered by snowman386

It would be nice if LDAP could be used for the Xibo user database and authentication so we dont have to manage separate accounts and passwords.

Blueprint information

Status:
Not started
Approver:
None
Priority:
Undefined
Drafter:
None
Direction:
Needs approval
Assignee:
None
Definition:
Discussion
Series goal:
None
Implementation:
Unknown
Milestone target:
None

Sprints

Whiteboard

There's many ways to do this and poster hasn't included much detail and its been a while so if they are not offended I'll add some...

Either you can trust ldap by default ignoring the overlapping data about users in the (mysql) database or only use ldap to create an initial record for the user and use the existing code to handle from that point on.

LDAP password checking can be done in two ways either a privileged bind and then comparing the strings after appropriate hashing or more commonly an authenticated bind as the user in question.

I reckon most LDAP installations will be doing some degree of authorisation with it as well so mapping the usertypes to appropriate LdapGroups and/or posixGroups would be a nice touch.

LDAP servers die (ok mine do...:-) so supporting a list of servers would be great.

TLS and SSL support is necessary these days.

An admin interface for ldap can be a little chicken-and-egg, as you need to be authenticated before you can change the authentication mechanism.

I wouldn't want to step on developers toes, but it looks like extending module_user_general.php would be appropriate and err... admin.class.php for settings and "Test this connection" function?

KEJ ------

 Absolutely. Although I might also say that it's probably best to look at LDAP authentication in a more open way.

 The simplest way to authenticate a user is to take their credentials and attempt a bind with them. If it fails then they aren't valid users. The crux of the matter is as you mention but possibly not as difficult to implement as you suggest.

 To get user lists that an admin can use within Xibo (to link up to users) will generally only require a valid account. Most user accounts are able to log in to an LDAP server and lookup other accounts within reason.

  It would be a bit silly if they couldn't use LDAP as the directory that it was born to be!

 It's fair enough, that that you'd need a special account to be able to access password fields etc but as mentioned, you just take the users credentials at login time and attempt a bind to validate them so being able to get a list of user accounts works well enough. :-)

--- Alex H
I may take a look at this for 1.3 series as it would be handy for me too. How deep do people think the integration should go?

For example, it would be pretty trivial to extend the system to offload authentication to ldap (infact alot of the code is there already, it just needs a refactor to get it to work with the updated infrastructure). When you log in from LDAP auth for the first time, Xibo would make a local account for you in the DB and all the other permissions (eg display group security, group memberships etc) would reside locally.

More work would be to introduce some kind of mapping between Xibo groups and LDAP groups so that LDAP groups are king and Xibo falls in to line.

What I'd ideally like is a system where Xibo creates a user in its DB when you log on from LDAP - and vampires the password you give so it's cached locally in the Xibo DB. Then there would be a priority list of authentication plugins to try - so say LDAP is priority 1, a request goes out to LDAP and if sucessfull you're authenticated and your group memberships etc are cached over to the DB. If the LDAP server were down, then the authentication would fall through to the next authentication scheme down - say the Xibo DB. That's great because it means that if the LDAP server were down, or remote (so not too much bandwidth is used) then you can still log in if there are problems. However I'm not sure how you deal with the LDAP server saying "no - this person isn't authenticated". Does that drop that users credentials from the database? What happens to the assets they own etc?

--
PWust. 2010-07-19:
What about user auth against a directory service using Apache's auth modules? I personally would be happy having Xibo server running on https, and having users authenticated against LDAP. All autorization can still go through Xibo's database. As soon as httpd has authenticated a user, it can just pass the authenticated user name to xibo who will take care of all autorization matters, i.e group memberships etc. If a user successfully authenticates but is still no user within Xibo server, he will not get anything.
If needed I can give simple examples on auth-configs for that.
- Patric
--

@Alex H.
If User management is extended with an enable/disable user option, then a LDAP "no - this person isn't authenticated" could mean the user in the Xibo DB is disabled. Assets will be still available this way.

Group mappings could be used in two ways of combined:
1. If member of LDAP group X then authenticated

2. If member of LDAP group Y then member of Xibo group YY
- Dimitry S. (2College ICT)

--

Nov 2, 2011
I would be happy to just see password authentication done against LDAP, but keep XIBO information local. It would be more work than reaped benefit to try to put it all on LDAP.
DokuWiki has a good implementation.
  --Willichan

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.