Forum OpenACS Development: Re: RFC: External Authentication

Collapse
Posted by Oscar Bonilla on
In the spec:

-----
Each domain driver will have a set of configuration options dependent on the driver, such as host, port, etc. We will need to  find a mechanism for the driver to tell us which configuration  options are available, a way to set these, and a way for the driver  to access these settings.
-----

How about each driver creates a table with the columns it needs and we just let the admin fill the information on a row of the table? The UI would be easy to generate automatically if we know the table name.

-----
Optional: Password policy
-----

How would we handle password policies of the external authentication service? What if the external service returns "password has expired, must change"? We should log in the user but ask him to change password.

-----
$$$$ Also need a way for the driver to say which configuration options it has, and a user interface for setting them. Sounds very much like current package parameters.
-----

Would it be possible to have multiple configurations for the same driver? What if I have two LDAP servers and want to authenticate with both?
This is why I think a table for each driver with a column for each parameter and a row for each instance of the driver would work best.

This also leads to the "stackable" feature. Would it be possible to stack the drivers so that it's required for the user to authenticate with all of them? or maybe any of them? We could do this using PAM but PAM doesn't support all the features the ext-auth module will support.

Lars asked me if I had a *real* need for this. The answer is no. I just tought it would be something we should consider from the begining.

-----
Operating system (Linux/Solaris) PAM: Delegate to the operating system, which can then talk to RADIUS, LDAP, whatever. This is convenient because there'll be plenty of drivers for the OS PAM level, so we don't have to write them all ourselves. The downside is that we can't do things like account creation, password management, real-time account synchronization, etc., not supported by PAM (I'm not entirely sure what is and is not supported).
-----

This would also mean writing an ns_pam module to talk to the PAM libraries. I don't think PAM has account creation, but it definitely has password management.

I'll send more toughts later...

Regards,

-Oscar