[Freedombox-discuss] LDAP
On Fri, 2013-12-27 at 19:08 -0600, Nick Daly wrote:
> Bdale Garbee <bdale at gag.com> writes:
>
> > Jonas Smedegaard <dr at jones.dk> writes:
> >
> >> Ok. Makes good sense to mandate use of shared auth mechanism. Not
> >> convinced LDAP is the ideal for that, though.
> >
> > ...Clearly not critical path, but this is another possible task for
> > someone out there reading who would like a modest project that could
> > help us out in the long term.
> >
> > What I think we can effectively use LDAP for is to manage the information
> > associated with identities. Users, what access rights they should have,
> > etc, in an application-neutral way that we can potentially wrap some
> > plinth UI goodness around eventually.
>
> It should also be possible to use these sorts of ACLs to create
> application-specific data-stores (among other things, to keep
> applications from snooping on one another's data). Keeping data
> separated is a related, but different, issue from the problem of
> separating processes ("the LXC/VM issue").
>
> So, does anybody know any good LDAP-enabled services we can use? I
> tried to move a wiki service into Plinth (ikiwiki, via [0]), but
> immediately ran into the problem that ikiwiki knows nothing about
> authentication mechanisms other than its own. I'm checking on the
> ikiwiki IRC channel and their forums, but very few wiki services (other
> than MediaWiki, which feels like overkill) are aware of LDAP.
>
> Time to do a lot of LDAP (or Kerberos, or...) learning.
Do yourself a favor, nix their auth system and use apache modules,
mediawiki has a module to understand REMOTE_USER, so should other
services like that. Once you find one that understand REMOTE_USER you
can defer authentication compeltely to apache and not have to
learn/implement/tweak each single service in a different way.
Simo.
Reply to: