Thread: [openupload-devel] Chained authentication ?
Status: Beta
Brought to you by:
tsdogs
Menu
▾
▴
openupload-devel
|
From: <wal...@no...> - 2011-04-19 17:31:02
|
Hi,
I'd like to set-up the following authentication scheme :
1) First, the user is authenticated against the openupload internal
authentication database
2) If the user does not exist in the database, then the user is
authenticated against an ldap server.
This would be useful if :
1) some users (who do not belong to the company) are not present in the
ldap directory ( and for whatever reason we do not want to put them into
the directory)
2) the corporate users exist in the ldap directory .
I've been thinking of the following implementation :
1) create a new class called 'chainedAuth' extending AuthBase
2) this class will hold references to an instance of defaultAuth (dA) and
to an instance of ldap Auth (lA)
3) calls to AuthBase functions will be forwarded to dA and/or lA
for example :
function authenticate($user,$pwd) {
if (!this->$dA->authenticate($user,$pwd))
return ( this->$lA->authenticate($user,$pwd))
else
return true;
}
I'm not sure about how all AuthBase functions should be implemented
(userdel() should probably be forwarded to dA only, userInfo() to both dA
and lA, ...)
Well, I'll investigate further and any idea or suggestion is welcomed.
Regards,W.
|
|
From: <wal...@no...> - 2011-04-20 07:52:53
Attachments:
chained.inc.php
|
This seems to be working (at least for authentication) : a user can
connect either using an internal account or using a ldap directory entry.
( class file is lib/modules/auth/chained.inc.php , put
$CONFIG['auth']='chained' in config.inc.php , adjust ldap settings )
<?php
class chainedAuth extends authBase {
var $authD='' ;
var $authL='' ;
var $internal=true;
function chainedAuth() {
require_once(app()->config['INSTALL_ROOT'].'/lib/modules/auth/default.inc.php');
require_once(app()->config['INSTALL_ROOT'].'/lib/modules/auth/ldap.inc.php');
$this->authD= new defaultAuth();
$this->authL= new ldapAuth();
$this->features = array('useradmin' => 'yes', 'groupadmin' => 'yes');
}
function init() {
$this->authL->init();
$this->authD->init();
}
function authenticate($user,$pwd) {
if (!$this->authD->authenticate($user,$pwd))
{
$this->internal=false;
$res= $this->authL->authenticate($user,$pwd);
return $res;
}
else
{
$this->internal=true;
return true;
}
}
function userinfo($login) {
// I'm not sure if userinfo is called upon the logged-in user
// if yes the code below is correct
// if not , it should be modified ( search $login in internal database
// if present retrieve info from database, otherwise fetch info from ldap
directory
if ($this->internal) {
$r = $this->authD->userInfo($login);
}
else{
$r= $this->authL->userinfo($login);
}
return $r; }
function groupinfo($group = '') {
if ($this->internal) $r = $this->authD->groupinfo($group);
else $r=$this->authL->groupinfo($group);
return $r; }
function users() { return $this->authD->users(); }
function useradd($user) { $this->authD->useradd($user);}
function useredit($user) {
$this->authD->useredit($user);
}
function userdel($id) {
$this->authD->userdel($id);
}
function groupadd($group) {
$this->authD->groupadd($group);
}
function groupedit($group) {
$this->authD->groupedit($group);
}
function groupdel($id) {
$this->authD->groupedit($id);
}
}
?>
Feel free to reuse and improve (some functions may be incorrect, groupinfo
for example : I'm not sure )
Regards, W.
> Hi,
>
> I'd like to set-up the following authentication scheme :
>
> 1) First, the user is authenticated against the openupload internal
> authentication database
> 2) If the user does not exist in the database, then the user is
> authenticated against an ldap server.
>
> This would be useful if :
> 1) some users (who do not belong to the company) are not present in the
> ldap directory ( and for whatever reason we do not want to put them into
> the directory)
> 2) the corporate users exist in the ldap directory .
>
> I've been thinking of the following implementation :
> 1) create a new class called 'chainedAuth' extending AuthBase
> 2) this class will hold references to an instance of defaultAuth (dA) and
> to an instance of ldap Auth (lA)
> 3) calls to AuthBase functions will be forwarded to dA and/or lA
>
> for example :
>
> function authenticate($user,$pwd) {
>
> if (!this->$dA->authenticate($user,$pwd))
> return ( this->$lA->authenticate($user,$pwd))
> else
> return true;
> }
>
> I'm not sure about how all AuthBase functions should be implemented
> (userdel() should probably be forwarded to dA only, userInfo() to both dA
> and lA, ...)
>
>
> Well, I'll investigate further and any idea or suggestion is welcomed.
>
> Regards,W.
>
>
> ------------------------------------------------------------------------------
> Benefiting from Server Virtualization: Beyond Initial Workload
> Consolidation -- Increasing the use of server virtualization is a top
> priority.Virtualization can reduce costs, simplify management, and improve
> application availability and disaster protection. Learn more about
> boosting
> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
>
|
|
From: Alessandro B. <ts...@br...> - 2011-04-20 17:37:53
|
On Wed, 20 Apr 2011 09:52:45 +0200 (CEST), wal...@no... wrote: > This seems to be working (at least for authentication) : a user can > connect either using an internal account or using a ldap directory > entry. > Great, I also thought about this option. Yes it should work, but the trouble here could be to find out about the groups or other info. (the $this->internal is not kept between requests which could lead to some trouble in the next requests) Imho, you should save in the user info (session) where you retrieved the authentication from, and then use this value instead of the $this->internal. my 2 cents. Alessandro |
|
From: <wal...@no...> - 2011-04-20 18:27:53
Attachments:
chained.inc.php
|
Thanks Allesandro
for those interested please find below the new source code version , which
takes into account Allesandro remarks.
For userinfo() : I'm using either defaultAuth or ldapAuth according to the
authentication scheme.
For groupinfo : I'm calling first defaultAuth:groupinfo() and then, if the
result is empty , I'm calling ldapAuth:groupinfo()
All others functions (useredit .... ) are only implemented in defaultAuth
and hence are delegated to that class.
I'll have more time next week to carry out more tests and I'll report here.
There remains one problem though : it is possible to edit a ldap user ,
even if modifications are not saved. I did not find a way to prevent this
( I had to enable user modifications for internal users).
Regards,
W
<?php
class chainedAuth extends authBase {
var $authD='' ; // default (internal) authentication
var $authL='' ; // ldap authentication
function chainedAuth() {
require_once(app()->config['INSTALL_ROOT'].'/lib/modules/auth/default.inc.php');
require_once(app()->config['INSTALL_ROOT'].'/lib/modules/auth/ldap.inc.php');
$this->authD= new defaultAuth();
$this->authL= new ldapAuth();
$this->features = array('useradmin' => 'yes', 'groupadmin' => 'yes');
$this->userfields =
array('login','password','name','group_name','email','lang','reg_date','regid','active');
}
function init() {
$this->authL->init();
$this->authD->init();
}
function authenticate($user,$pwd) {
if (!$this->authD->authenticate($user,$pwd))
{
$_SESSION['user']['internalauth']=false;
$res= $this->authL->authenticate($user,$pwd);
return $res;
}
else
{
$_SESSION['user']['internalauth']=true;
$this->internal=true;
return true;
}
}
function userinfo($login) {
if ($_SESSION['user']['internalauth']) $r =
$this->authD->userInfo($login);
else $r= $this->authL->userinfo($login);
return $r;
}
function groupinfo($group = '') {
$r = $this->authD->groupinfo($group);
if (empty($r)) $r=$this->authL->groupinfo($group);
return $r; }
// functions below are only implemented in defaultAuth
// hence they are delegated to authD ( default authenticator )
function users() { return $this->authD->users(); }
function useradd($user) { $this->authD->useradd($user);}
function useredit($user) {
// check if $user is internal as we do not edit
// users in ldap directory.
// the check is not very useful because the form calling this function
// display the new values even if they are not applied here
$users=$this->users(); // retrieve internal users
foreach ($users as $u) {
if (strcmp($u['login'],$user['login'])==0)
{
$this->authD->useredit($user);
break;
}
}
}
function userdel($id) {
$this->authD->userdel($id);
}
function groupadd($group) {
$this->authD->groupadd($group);
}
function groupedit($group) {
$this->authD->groupedit($group);
}
function groupdel($id) {
$this->authD->groupedit($id);
}
}
?>
> On Wed, 20 Apr 2011 09:52:45 +0200 (CEST), wal...@no... wrote:
>> This seems to be working (at least for authentication) : a user can
>> connect either using an internal account or using a ldap directory
>> entry.
>>
>
> Great, I also thought about this option.
>
> Yes it should work, but the trouble here could be to find out about the
> groups or other info.
> (the $this->internal is not kept between requests which could lead to
> some trouble in the next requests)
>
> Imho, you should save in the user info (session) where you retrieved
> the authentication from,
> and then use this value instead of the $this->internal.
>
> my 2 cents.
> Alessandro
>
>
> ------------------------------------------------------------------------------
> Benefiting from Server Virtualization: Beyond Initial Workload
> Consolidation -- Increasing the use of server virtualization is a top
> priority.Virtualization can reduce costs, simplify management, and improve
> application availability and disaster protection. Learn more about
> boosting
> the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
>
|
Thanks for helping keep SourceForge clean.
X