Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Archive /

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

LDAP support for Silverstripe


Reply


31 Posts   14131 Views

Avatar
Tim

Core Development Team, 201 Posts

18 September 2007 at 2:31pm

Hi Lancer,

We would absolutely love if you can work on getting some deep LDAP integration going with SilverStripe - would you be keen to head up this project?

- Tim

Avatar
lancer

57 Posts

18 September 2007 at 5:01pm

Edited: 18/09/2007 5:06pm

Sure, has the new security code for 2.1 stabilized yet? (or what is the general expectation for it to do so?)

What is the timeframe you would like to see?

(by the way, I probably won't be reacting much to any posts starting tomorrow. I'll have some work related travel to do for the next 1.5 week)

Avatar
Markus

Google Summer of Code Hacker, 152 Posts

27 September 2007 at 5:20am

Somehow I missed this thread.. anyway: great to hear that you are going to help us to implement LDAP based authentication.

If you have any questions about the authenticator stuff feel free to ask.. I was the one who implemented it :-)

1) From 2.1 you can register more than one authenticator with Silverstripe and use them concurrently
2) Each authenticator adds its own form to the authentication page.

Right.

3) The mapping (in case of OpenID) of the remote ID is done with extra parameters stored with the user object (in this case the OpenID URL)
4) For OpenID you'd still need a database entry but as far as I can see this is not mandatory

Yes, we map the OpenID identifier (URL) to the member object which represents the user. A database entry is mandatory since otherwise we cannot check the user privileges.

5) Authorization still takes place within SilverStripe

Exactly.

I would even like the move some of the authorization to the LDAP. If SilverStripe groups are mapped to LDAP posix groups, the users don't even need to be recorded in the SilverStripe database (for large sites this would reduce the clutter in the user table significantly)

Hmm... that's somehow a double edged sword. Since all the code relies on member objects it you need to create some kind of mock member object. But principally it should work.
I don't know LDAP very well.. but it is possible to retrieve the user list and their groups from an LDAP server? In that way could create some kind of automatic synchronization (just an idea).

Avatar
Sigurd

Forum Moderator, 628 Posts

28 September 2007 at 8:58am

And yes, 2.1rc2 code is very close to the stable release, its only blocker-level bug fixes, so you're fine to play with that.

You could also look at the SVN trunk, which will form the 2.2 release later in the year.

Avatar
Markus

Google Summer of Code Hacker, 152 Posts

29 September 2007 at 4:15am

Edited: 29/09/2007 4:16am

With this in place I can set my Silverstripe password to some incredibly complex string that can't be brute forced and at the same time allow me to use my normal password, which I cycle monthly, with SilverStripe (and this password is not stored cleartext either). The account must be created in Silverstripe first before anyone can authenticate succesfully (it's authentication only, not authorization)

You don't need to set your Silverstripe password to "some incredibly complex string", simple set it to NULL and the normal username/password login method will be disabled.

(I think in v2.2) it will also be possible to disable the so called member login method (username & password) and you can configure Silverstripe so that it doesn't safe passwords in clear-text but encrypted and salted. You can even choose the encryption algorithm.

Avatar
lancer

57 Posts

30 September 2007 at 3:32am

According to the wiki encryption of passwords and the Authenticator methods are scheduled for 2.1. I started writing the code, bute the Authenticator is not present in the 2.1rc code. If this is scheduled for 2.2 I should probably be working on a checkout of the trunk.

Avatar
Tim

Core Development Team, 201 Posts

30 September 2007 at 11:44am

Hi Lancer,

Yes you'll want to be developing with Trunk as that is where all the new authentication goodness is, however note this branch is currently unstable (we've only really just finished the merges and haven't properly tested it), so it's likely you'll come up against a number of issues in that regard.

Great to hear you've started on this!

Avatar
lancer

57 Posts

9 October 2007 at 8:36am

I just put the initial code on trac. Ticket 1477.

Featureset
* support for ldaps
* support for tls
* support for any unique id in the LDAP user record (such as uid or mail address)
* POSIX/Shadow password expiration support
* non-anonymous bind for dn search

It should also work with AD, if the correct magic parameters are put in _config.php