[Mageia-sysadm] Users authentication on forums

Mon Apr 11 14:39:20 CEST 2011

Hello,
+
+For authentication on the forums, we are currently using ldap. The user
+sends his login and passwords to phpbb which use it to authenticate on
+ldap server. Because of this, someone with root access on the forums
+server can access password of any user connecting to the forums. And
+because important passwords are transfered, the connection needs to be
+in SSL, so the *.mageia.org certificate also needs to be installed. So
+access to the server needs to be restricted to sysadmin team only, who
+also need to be able to check what is being done on forums, check it is
+secure, etc ... And I think this makes forums admins not happy.
+
+As we are using ldap for authentication only (not for groups or anything
+else), I think we could do authentication differently. Maybe we could
+setup a mageia OpenID server linked to the ldap server. Then on the
+forums use OpenID for authentication, when a user enter his login on
+the forums he is redirected to the mageia OpenID authentication page
+for the login entered. Then we can disable https on the forums, and
+forum admins can be root on the forums server. And passwords are better
+protected in case phpbb has a vulnerability.
+
+Sysadmin team would manage openid server. And forum team would manage
+forums server.
+
+I've seen this project for phpbb3 openid authentication (I didn't check
+if there are others) :
+http://sourceforge.net/projects/phpbb-openid/
+
+Login form looks like this :
+http://sourceforge.net/dbimage.php?id=91989
+We would need to modify it to remove Username/Password. Replace "OpenID"
+with "Mageia login" and automatically use Mageia OpenID server with the
+login entered. So that each account on the forum is still linked to a
+Mageia account.
+
+What do you think ?
+
+