[Mageia-sysadm] Users authentication on forums

Thomas Backlund tmb at iki.fi
Mon Apr 11 17:36:34 CEST 2011


nicolas vigier skrev 11.4.2011 15:39:
> Hello,
>
> For authentication on the forums, we are currently using ldap. The user
> sends his login and passwords to phpbb which use it to authenticate on
> ldap server. Because of this, someone with root access on the forums
> server can access password of any user connecting to the forums. And
> because important passwords are transfered, the connection needs to be
> in SSL, so the *.mageia.org certificate also needs to be installed. So
> access to the server needs to be restricted to sysadmin team only, who
> also need to be able to check what is being done on forums, check it is
> secure, etc ... And I think this makes forums admins not happy.
>
> As we are using ldap for authentication only (not for groups or anything
> else), I think we could do authentication differently. Maybe we could
> setup a mageia OpenID server linked to the ldap server. Then on the
> forums use OpenID for authentication, when a user enter his login on
> the forums he is redirected to the mageia OpenID authentication page
> for the login entered. Then we can disable https on the forums, and
> forum admins can be root on the forums server. And passwords are better
> protected in case phpbb has a vulnerability.
>

One question...

Why would forum admins need to be root ?

Most things can be managed with specific user/group permissions on 
needed files & dirs. same goes for sql... just add db user with needed 
permissions...


> Sysadmin team would manage openid server. And forum team would manage
> forums server.
>
> I've seen this project for phpbb3 openid authentication (I didn't check
> if there are others) :
> http://sourceforge.net/projects/phpbb-openid/
>
> Login form looks like this :
> http://sourceforge.net/dbimage.php?id=91989
> We would need to modify it to remove Username/Password. Replace "OpenID"
> with "Mageia login" and automatically use Mageia OpenID server with the
> login entered. So that each account on the forum is still linked to a
> Mageia account.
>
> What do you think ?
>
> _______________________________________________
> Mageia-sysadm mailing list
> Mageia-sysadm at mageia.org
> https://www.mageia.org/mailman/listinfo/mageia-sysadm
> .
>



More information about the Mageia-sysadm mailing list