Jump to:

17452 Posts in 4473 Topics by 1971 members

Archive

SilverStripe Forums » Archive » LDAP support for Silverstripe

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Page: 1 2 3 4
Go to End
Author Topic: 13497 Views
  • Tim
    Avatar
    Core Development Team
    201 Posts

    Re: LDAP support for Silverstripe Link to this post

    Hi Lancer,

    We would absolutely love if you can work on getting some deep LDAP integration going with SilverStripe - would you be keen to head up this project?

    - Tim

  • lancer
    Avatar
    57 Posts

    Re: LDAP support for Silverstripe Link to this post

    Sure, has the new security code for 2.1 stabilized yet? (or what is the general expectation for it to do so?)

    What is the timeframe you would like to see?

    (by the way, I probably won't be reacting much to any posts starting tomorrow. I'll have some work related travel to do for the next 1.5 week)

  • Markus
    Avatar
    Google Summer of Code Hacker
    152 Posts

    Re: LDAP support for Silverstripe Link to this post

    Somehow I missed this thread.. anyway: great to hear that you are going to help us to implement LDAP based authentication.

    If you have any questions about the authenticator stuff feel free to ask.. I was the one who implemented it

    1) From 2.1 you can register more than one authenticator with Silverstripe and use them concurrently
    2) Each authenticator adds its own form to the authentication page.

    Right.

    3) The mapping (in case of OpenID) of the remote ID is done with extra parameters stored with the user object (in this case the OpenID URL)
    4) For OpenID you'd still need a database entry but as far as I can see this is not mandatory

    Yes, we map the OpenID identifier (URL) to the member object which represents the user. A database entry is mandatory since otherwise we cannot check the user privileges.

    5) Authorization still takes place within SilverStripe

    Exactly.

    I would even like the move some of the authorization to the LDAP. If SilverStripe groups are mapped to LDAP posix groups, the users don't even need to be recorded in the SilverStripe database (for large sites this would reduce the clutter in the user table significantly)

    Hmm... that's somehow a double edged sword. Since all the code relies on member objects it you need to create some kind of mock member object. But principally it should work.
    I don't know LDAP very well.. but it is possible to retrieve the user list and their groups from an LDAP server? In that way could create some kind of automatic synchronization (just an idea).

  • Sigurd
    Avatar
    Forum Moderator
    628 Posts

    Re: LDAP support for Silverstripe Link to this post

    And yes, 2.1rc2 code is very close to the stable release, its only blocker-level bug fixes, so you're fine to play with that.

    You could also look at the SVN trunk, which will form the 2.2 release later in the year.

  • Markus
    Avatar
    Google Summer of Code Hacker
    152 Posts

    Re: LDAP support for Silverstripe Link to this post

    With this in place I can set my Silverstripe password to some incredibly complex string that can't be brute forced and at the same time allow me to use my normal password, which I cycle monthly, with SilverStripe (and this password is not stored cleartext either). The account must be created in Silverstripe first before anyone can authenticate succesfully (it's authentication only, not authorization)

    You don't need to set your Silverstripe password to "some incredibly complex string", simple set it to NULL and the normal username/password login method will be disabled.

    (I think in v2.2) it will also be possible to disable the so called member login method (username & password) and you can configure Silverstripe so that it doesn't safe passwords in clear-text but encrypted and salted. You can even choose the encryption algorithm.

  • lancer
    Avatar
    57 Posts

    Re: LDAP support for Silverstripe Link to this post

    According to the wiki encryption of passwords and the Authenticator methods are scheduled for 2.1. I started writing the code, bute the Authenticator is not present in the 2.1rc code. If this is scheduled for 2.2 I should probably be working on a checkout of the trunk.

  • Tim
    Avatar
    Core Development Team
    201 Posts

    Re: LDAP support for Silverstripe Link to this post

    Hi Lancer,

    Yes you'll want to be developing with Trunk as that is where all the new authentication goodness is, however note this branch is currently unstable (we've only really just finished the merges and haven't properly tested it), so it's likely you'll come up against a number of issues in that regard.

    Great to hear you've started on this!

  • lancer
    Avatar
    57 Posts

    Re: LDAP support for Silverstripe Link to this post

    I just put the initial code on trac. Ticket 1477.

    Featureset
    * support for ldaps
    * support for tls
    * support for any unique id in the LDAP user record (such as uid or mail address)
    * POSIX/Shadow password expiration support
    * non-anonymous bind for dn search

    It should also work with AD, if the correct magic parameters are put in _config.php

    13497 Views
Page: 1 2 3 4
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.