LDAP integration discussion

[psoTFX]

erm no, because it's not a per user or "upon registration do this, upon X group do that" thing ... this is an auth backend setup.

[Roberdin]

*sighs* Haravikk! You should know that!

Won't all these authentication options for LDAP be available from the LDAP configuration panel?

[Juxtaman]

I'm currently using a board that is private for a college that uses ldap globally to authenticate users and email service.

Is ldap used as a means to authenticate the registration or does the ldap database username become the board username.


Also any time for the release? Groups is a bit buggy

[andrew johnson]

no release date nor general release

[libertate]

Some of you suggested a mixed LDAP/phpBB registration.

This goes directly against the idea of LDAP. Why have a centralized DB with user accounts if you allow someone to create new accounts which potentially circumvents LDAP?

Either one or the other, but not both should be used. Security in large scale settings is of the utmost importance.

There might be some strange situations where a phpBB account AND an LDAP account creation is needed, but I suggest phpBB stay away from it.

It creates a security problem, and more importantly, it creates nightmare of a coding. Login would take as long as... say Win2K! Who could survive that!

With allowing only single authentication method, ie. phpBB XOR LDAP, the future is bright for having someone(s) create other authentication sources (plug-ins/MODs, replacements, whatever you want to call its), such as Kerberos, SSH, TACACS+, Various firewalls, etc. ad infinitum...

In all these cases I would be hard pressed, if I had the job of monitoring security, to allow multiple sources for authentication.

[Roberdin]

profuile data is always sotred on phpBB, not on the LDAP server... or do u mean that some users would be authenticaed via LDAP and others via phpBB?

Well, it could be a profile option, so phpBB would check to see which authentication method to use for that user...

[psoTFX]

No, it won't be in the vanilla code as I've already stated.

[mondain]

Wouldn't LDAP be easier implimented as follows:

- User registers at board
- User enters groups and picks "LDAP Users" (if LDAP is enabled)
- User enters LDAP details and is added to that group
- User gains all permission of the LDAP group as defined by the admin

To go with that if groups allow automatic entry and 'requires authorisation from moderator' entry it could allow larger control.

No, only because that circumvents the idea of having a central username/pw in LDAP for auth. Now a user would have to know 2 accounts and 2 passwords just to get the required access.

[mondain]

In which case we'll provide the framework and those who need to use it can modify the code as they may require. Because spending significant amounts of time on limiting and controlling what can and cannot be done with LDAP is well down our priority list.

I understand completely. I did not know you would be providing a framework we could extend should we want to modify LDAP support.

[mondain]

Is ldap used as a means to authenticate the registration or does the ldap database username become the board username.

It can easily go either way, programmatically. I would rather it be an option, say to "specify an LDAP attribute that will be read as a users' displayed username" or "let the user pick their own username, but they still need their LDAP credentials to log in."