zarb-ml/mageia-sysadm/2011-April/003332.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [Mageia-sysadm] Users authentication on forums
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Users%20authentication%20on%20forums&In-Reply-To=%3C4DA32002.5050301%40iki.fi%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="003331.html">
   <LINK REL="Next"  HREF="003372.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[Mageia-sysadm] Users authentication on forums</H1>
    <B>Thomas Backlund</B> 
    <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Users%20authentication%20on%20forums&In-Reply-To=%3C4DA32002.5050301%40iki.fi%3E"
       TITLE="[Mageia-sysadm] Users authentication on forums">tmb at iki.fi
       </A><BR>
    <I>Mon Apr 11 17:36:34 CEST 2011</I>
    <P><UL>
        <LI>Previous message: <A HREF="003331.html">[Mageia-sysadm] Users authentication on forums
</A></li>
        <LI>Next message: <A HREF="003372.html">[Mageia-sysadm] Users authentication on forums
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#3332">[ date ]</a>
              <a href="thread.html#3332">[ thread ]</a>
              <a href="subject.html#3332">[ subject ]</a>
              <a href="author.html#3332">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>nicolas vigier skrev 11.4.2011 15:39:
&gt;<i> Hello,
</I>&gt;<i>
</I>&gt;<i> For authentication on the forums, we are currently using ldap. The user
</I>&gt;<i> sends his login and passwords to phpbb which use it to authenticate on
</I>&gt;<i> ldap server. Because of this, someone with root access on the forums
</I>&gt;<i> server can access password of any user connecting to the forums. And
</I>&gt;<i> because important passwords are transfered, the connection needs to be
</I>&gt;<i> in SSL, so the *.mageia.org certificate also needs to be installed. So
</I>&gt;<i> access to the server needs to be restricted to sysadmin team only, who
</I>&gt;<i> also need to be able to check what is being done on forums, check it is
</I>&gt;<i> secure, etc ... And I think this makes forums admins not happy.
</I>&gt;<i>
</I>&gt;<i> As we are using ldap for authentication only (not for groups or anything
</I>&gt;<i> else), I think we could do authentication differently. Maybe we could
</I>&gt;<i> setup a mageia OpenID server linked to the ldap server. Then on the
</I>&gt;<i> forums use OpenID for authentication, when a user enter his login on
</I>&gt;<i> the forums he is redirected to the mageia OpenID authentication page
</I>&gt;<i> for the login entered. Then we can disable https on the forums, and
</I>&gt;<i> forum admins can be root on the forums server. And passwords are better
</I>&gt;<i> protected in case phpbb has a vulnerability.
</I>&gt;<i>
</I>
One question...

Why would forum admins need to be root ?

Most things can be managed with specific user/group permissions on 
needed files &amp; dirs. same goes for sql... just add db user with needed 
permissions...


&gt;<i> Sysadmin team would manage openid server. And forum team would manage
</I>&gt;<i> forums server.
</I>&gt;<i>
</I>&gt;<i> I've seen this project for phpbb3 openid authentication (I didn't check
</I>&gt;<i> if there are others) :
</I>&gt;<i> <A HREF="http://sourceforge.net/projects/phpbb-openid/">http://sourceforge.net/projects/phpbb-openid/</A>
</I>&gt;<i>
</I>&gt;<i> Login form looks like this :
</I>&gt;<i> <A HREF="http://sourceforge.net/dbimage.php?id=91989">http://sourceforge.net/dbimage.php?id=91989</A>
</I>&gt;<i> We would need to modify it to remove Username/Password. Replace &quot;OpenID&quot;
</I>&gt;<i> with &quot;Mageia login&quot; and automatically use Mageia OpenID server with the
</I>&gt;<i> login entered. So that each account on the forum is still linked to a
</I>&gt;<i> Mageia account.
</I>&gt;<i>
</I>&gt;<i> What do you think ?
</I>&gt;<i>
</I>&gt;<i> _______________________________________________
</I>&gt;<i> Mageia-sysadm mailing list
</I>&gt;<i> <A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">Mageia-sysadm at mageia.org</A>
</I>&gt;<i> <A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">https://www.mageia.org/mailman/listinfo/mageia-sysadm</A>
</I>&gt;<i> .
</I>&gt;<i>
</I>
</PRE>


<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="003331.html">[Mageia-sysadm] Users authentication on forums
</A></li>
	<LI>Next message: <A HREF="003372.html">[Mageia-sysadm] Users authentication on forums
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#3332">[ date ]</a>
              <a href="thread.html#3332">[ thread ]</a>
              <a href="subject.html#3332">[ subject ]</a>
              <a href="author.html#3332">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
mailing list</a><br>
</body></html>