LDAP integration discussion

[mondain]

I'd like to get some info and discussion going regarding the LDAP integration thats going into 2.2.

You generally have 2 categories of reasons why you have an LDAP userbase:

1) you have a small to medium userbase across a small number of machines using LDAP auth, such as a small ISP or small business.

2) you have a large userbase encompassing enterprise-level authentication.


Coming from the latter, I'd like to discuss how LDAP integration into 2.2 addresses concerns and issues that will be a deciding factor in using 2.2 in the enterprise. Anyone please feel free to add to or constructively criticize my comments.

Reality does dictate that LDAP authentication must be addressed slightly different when you have an enterprise situation with, say, 20,000 users. A good example is a university setting.

I dont know how else to say this so I'll blurt it out: LDAP support in v2.2 will be a disaster unless it is a) moderately customizable from a forum admin perspective, and b) allows for an active mixed-mode authentication.

A) Data integrity is of utmost importance. In our enterprise LDAP deployment, we have many custom scripts and programs that police and funnel changes to LDAP through very specific avenues. Users cannot just change values in LDAP without jumping through carefully constructed hoops (calling a help desk, contacting human resources, etc). phpbb needs to empower admins to forbid users from changing LDAP information. Hopefully, it will be an option to have phpbb will just allow LDAP as an authentication module and keep all other user data local to phpbb. LDAP users can automatically authenticate, but they will need to enter in all new account information that is relative only to the forums.

Not many people will want to use a forum if they lose anonymity, or better yet, lose the ability to define the limits of their own anonymity. Forum admins should be able to know a users ldap identity but the rest of he userbase should not.


B) phpbb should be able to allow both LDAP authentication and local account authentication at the same time, as an admin-definable setting. Some times we may want a "just internal use" forum (say, for internal work use), a "just external use" forum where we want everyone on the internet to access it, and a mixed-mode along the lines of "we want our LDAP users to use their LDAP auth for this forum, but we would like the outiside world to partake as well". A good example of mixed-mode may be technical support forums at a large corporation, where employees have LDAP accounts but consumer end users who are coming for help are just regular internet users.



I'm sure these questions have crossed the developers minds, but I havent seen any open communication about it. I am really hoping that LDAP integration wont be just an on/off radio button. It cant be. Not if you are looking to appeal to anyone other than small-time groups that can afford such clearly-defined LDAP rules. phpbb has the golden opportunity to be one of the first open-source forum packages with a comprehensive LDAP auth module, and I'd hate to see the opportunity missed with a substandard attempt.

As you can see, this is something I've been looking forward to for a long time. We are not allowed to roll out new enterprise services unless they are ldap-enabled. Which means we dont roll out many new services because "going ldap" often is more complicated than just an on/off radio button. Large corporations, universities, places with 20,000+ LDAP users wont be interested in phpbb unless it can mesh with their LDAP schema and local policies really, really well.

So I'd like to get everyones thoughts and comments on this. Thanks!

[haravikk]

Well I don't know much about LDAP but I can tell you that the admin panel currently has the following options:

LDAP server name:
If using LDAP this is the name or IP address of the server.

LDAP base dn:
This is the Distinguished Name, locating the user information, e.g. o=My Company,c=US

LDAP uid:
This is the key under which to search for a given login identity, e.g. uid, sn, etc.

Just though I'd post these for those who haven't seen the CVS

[mondain]

That represents the basic minimum of information to have php talk to an LDAP directory server. Thank you for posting it here for the benefit of readers who arent beta testing 2.2.

In my above post where I mention phpbb should not let users change ldap information, if all phpbb is using ldap for is auth then it should be an option to not let phpbb change users passwords in ldap.

[mondain]

Also, for the sake of different encryption schemes and security, it should be an option to not let phpbb email a users password to them.

[Roberdin]

phpBB can't e-mail a password to someone - it doesn't know it. It knows an md5() hash of it, which is very difficult to crack, without a lot of processing power. And if you click the "I forgot my password link", it comes up with and sends a new password to you, but requires that you activate it via your e-mail before it can be used.

[chAos]

I think mondain means that in the email sent out upon registration, correct?

If so, the language files (? not sure if their location is changed in 2.2 ?) can be changed so that it doesn't email them their password.

[mondain]

I think mondain means that in the email sent out upon registration, correct?

If so, the language files (? not sure if their location is changed in 2.2 ?) can be changed so that it doesn't email them their password.

That raises a good question: if you're using LDAP auth, do you check the auth before you allow a new registration or after?

I could definitely see it working as:

-user wants to register with forums, clicks "register"
-forums are in LDAP auth mode, so forum asks for LDAP credentials
-IF successful, allow user to create local forum profile using LDAP usernam/password login credentials
-IF fail, user is treated as external user and is allowed to create local profile including picking their own login/password

There is a greater security risk with large-scale LDAP deployments in emailing a user their password than what most companies employ (visiting the Help Desk, presenting credentials such as photo ID, etc). LDAP credentials should, by default, be considered a "bigger deal" than an anonymous Internet user because (almost inherently) that person's LDAP credentials "open more doors" and are more valuable on internal systems and can, potentially, do more damage.

[mondain]

Apparently there is a limit on how often I can edit a reply

What I meant to say at the end was:

If phpbb is going to allow emailing a users LDAP credentials to them it better be an option to ONLY allow the email to be sent to an admin-defined attribute in LDAP. It's very common for LDAP entries to contain that persons official email address ("official822recipient" or whathaveyou). There is no reason at that point to allow the user to specify a destination for the email.

This is so much more critical than I think most people here would understand.


Hopefully now you developers are starting to understand that adding LDAP support is much more than "ok so its just another external auth device".

[psoTFX]

In which case we'll provide the framework and those who need to use it can modify the code as they may require. Because spending significant amounts of time on limiting and controlling what can and cannot be done with LDAP is well down our priority list.

[haravikk]

Wouldn't LDAP be easier implimented as follows:

- User registers at board
- User enters groups and picks "LDAP Users" (if LDAP is enabled)
- User enters LDAP details and is added to that group
- User gains all permission of the LDAP group as defined by the admin

To go with that if groups allow automatic entry and 'requires authorisation from moderator' entry it could allow larger control.