[Mageia-sysadm] Users authentication on forums
nicolas vigier
boklm at mars-attacks.org
Mon Apr 11 14:39:20 CEST 2011
Hello,
For authentication on the forums, we are currently using ldap. The user
sends his login and passwords to phpbb which use it to authenticate on
ldap server. Because of this, someone with root access on the forums
server can access password of any user connecting to the forums. And
because important passwords are transfered, the connection needs to be
in SSL, so the *.mageia.org certificate also needs to be installed. So
access to the server needs to be restricted to sysadmin team only, who
also need to be able to check what is being done on forums, check it is
secure, etc ... And I think this makes forums admins not happy.
As we are using ldap for authentication only (not for groups or anything
else), I think we could do authentication differently. Maybe we could
setup a mageia OpenID server linked to the ldap server. Then on the
forums use OpenID for authentication, when a user enter his login on
the forums he is redirected to the mageia OpenID authentication page
for the login entered. Then we can disable https on the forums, and
forum admins can be root on the forums server. And passwords are better
protected in case phpbb has a vulnerability.
Sysadmin team would manage openid server. And forum team would manage
forums server.
I've seen this project for phpbb3 openid authentication (I didn't check
if there are others) :
http://sourceforge.net/projects/phpbb-openid/
Login form looks like this :
http://sourceforge.net/dbimage.php?id=91989
We would need to modify it to remove Username/Password. Replace "OpenID"
with "Mageia login" and automatically use Mageia OpenID server with the
login entered. So that each account on the forum is still linked to a
Mageia account.
What do you think ?
More information about the Mageia-sysadm
mailing list