Re: [phpesp-dev] Proposed changes.

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

James E. Flemer wrote:
> Matthew Gregg wrote:
>
>> Also, I've had a feature request tagged to me for a while to implement
>> LDAP respondent accounts.  I have this implemented in a way that works
>> for us(MUSC), but it's done in a way that would allow for other
>> authentication methods to easily be used.  Instead of extending the
>> account/authentication functionality inside ESP, I choose to implement
>> the concept of a "valid URI" that a survey can be called from.  Then
>> from Apache you can use any authentication method it supports(which is
>> huge) to limit access to the Survey.
>>
>> For example:
>> - The directory .../phpESP/public/access-ldap/ exists
>>
>> - The valid URI for a survey is access-ldap
>>
>> - Apache is configure as:
>> <Location /access-ldap/>
>>   AuthName "(LDAP ID and Password)"
>>   AuthType Basic
>>   AuthLDAP  "some ldap config here"
>>   require valid-user
>> </Location>
>>
>> - The survey is activated.
>>
>> - It is accessed by the normal "/public/survey.php?name=blah" url and
>> access is denied.
>>
>> - It is accessed by the "secured" URL
>> "/public/access-ldap/survey.php?name=blah", a "Basic Auth" login is
>> prompted by Apache.  If the user has a valid account, they can access
>> the survey.
>>
>> Do you guys like this approach?  Hope I managed to explain it well
>> enough.  If so, I'll clean it up and send out a patch that against CVS
>> for testing.  If not, I'll keep it as a local extension.  I'll take no
>> response as a "go a head and do it" (-:
> 
> 
> Well, the easiest way to do this would be to add a new auth module for 
> phpESP, "auth_apache".  That way anyone using the phpesp user db won't 
> have to migrate, but anyone who wants to can plug in any apache auth 
> module and be ready to go.  I imagine the "auth_apache" plugin would be 
> pretty simple (for respondents).
> 
> Perhaps the phpESP auth plugin stuff needs to be split into respondent / 
> designer though.  So that something like auth_respondent=apache_auth, 
> auth_designer=phpesp would be possible.  What do you think?

Having thought about this a little more, I think phpESP needs a bit more 
of an AAA solution.  Well, maybe we can ignore the third "A" 
(accounting) for now, and just focus on authentication (authN) and 
authorization (authZ).  I think that we should try to use PEAR::Auth for 
authN possibly adding to that project to have an Apache pseudo-"storage 
container".  Then we need a simple but flexible authZ system.  Right now 
authN and authZ are all rolled up into one, which makes it difficult to 
leverage existing authN systems.  With separate "modules" one could 
easily get authn with ldap/apache/etc, but use (a subset of) the 
existing phpesp database for authz, or write a new authz module.

Or maybe we should make a PEAR::AuthZ module that is designed around 
PEAR::Auth.

Comments?

-James