[haiku-depot-web] Re: User Authentication
- From: Andrew Lindesay <apl@xxxxxxxxxxxxxx>
- To: haiku-depot-web@xxxxxxxxxxxxx
- Date: Fri, 05 Sep 2014 07:24:14 +1200
Hello Oliver;
I may be wrong, but I think that LDAP alone will just work as a storage
backend for the users and their passwords, but it won't provide
single-sign-on. As a result, one would still have to login to every haiku
site.
You are quite right; LDAP alone won't provide single-sign-on. The
suggestion now is doing this in two chunks of work to break it up.
First; deploy HDS writing to and authenticating against LDAP directly
without OpenID. The second phase would then involve introducing OpenID
(eg; Richard's suggestion of Crowd or another server) backed by the same
LDAP server and authenticating for HDS.
And of course openLDAP doesn't have a decent interface, so the
administrative management of the users would require another tool. If
someone can recommend a decent LDAP frontend, please share ...
I downloaded this [1] and it has an SWT administration console called
"Apache Directory Studio", but I haven't actually had the time to try it
out just yet.
P.S.: I believe migrating authentication data to LDAP should be quite
simple (using a perl or python script), provided that the password storage
format is compatible. Andrew: which format is used for storing the
passwords in the haikudepotserver-DB?
Yes I can imagine that we can make an LDIF of current data, but since
there are few people involved (~20), they could be asked to change their
password and allow that to trickle through to the LDAP server.
The passwords are stored in the HDS database as SHA1 hashes of a stored
salt + password.
[1] http://directory.apache.org/
cheers.
--
Andrew Lindesay
Other related posts:
