Announcement

  •  » Extensions
  •  » Webserver or PAM authentication plug-in?

#1 2014-10-05 17:06:19

mark0n
Member
2014-10-05
3

Webserver or PAM authentication plug-in?

Hi all,
first of all let me say that I really appreciate the hard work @22decembre put into his LDAP plug-in!

However, looking at the code and postings of users running into issues with it, I got the impression that @22decembre's plug-in is not general enough to satisfy many people's needs. Unfortunately implementing and maintaining a full-fledged LDAP authentication plug-in seems be *a lot* of work. It probably requires more effort than the few people that want to use it are willing to spend :-( And that would only solve the problem of authenticating against LDAP. People that want to authenticate against Unix accounts, their own database,... would still be on their own...

Thinking about other options here is what came to my mind:

1. Let the web server do authentication. It turns out that someone already succeeded in doing so: http://anotheritblog.net/2014/07/17/piw … ntication/ Does anyone know if that's also possible with NGINX?

2. Implement a Piwigo plug-in that authenticates against PAM. This way all the heavy lifting would be done by the already existing PAM LDAP module. The fact that many other PAM modules (e.g. /etc/shadow, Kerberos,...) are available could also significantly increase the user base for such a plug-in. The downside of this approach is that PAM is not available on all platforms (read: Windows).

What do you think?

Martin

P.S.: Unfortunately I'm not really familiar with PHP but I could help testing with OpenLDAP and PAM on Linux.

Offline

 

#2 2014-10-05 17:17:36

22decembre
Member
1970-01-01
4

Re: Webserver or PAM authentication plug-in?

This is some sort of good thoughts (diversity, different way to the same purpose : gooooood !).

Yet, it has one down side : what to do if you can't use pam !

BSD for exemple uses a different auth system than pam. LDAP can also allow to have a remote auth : the auth server is an other host than the one running piwigo.

I am not defending my own opinion or plugin, cause I remind you that I want to give it to someone else, but just give you an other point of view.

Any way, I wish you good luck and courage, because you deserve it !

Offline

 

#3 2015-03-10 09:52:45

exi
Member
2013-06-24
5

Re: Webserver or PAM authentication plug-in?

Authenticating against PAM for piwigo is a bad idea if you want an ldap authentication.
I don't have unix/pam permissions for all my users because they are only allowed to access specific services configured by ldap and user login on my server is not one of them.

I would like to have something like the owncloud ldap configuration which lets you specify ldap host, binddn, base and a user filter. The user filter is used to restrict access to specific ldap groups/objectClasses.

Offline

 

#4 2015-03-11 14:54:34

mark0n
Member
2014-10-05
3

Re: Webserver or PAM authentication plug-in?

Hi exi,
as far as I understand PAM you can configure authentication to be performed in a different way for each of your applications. E.g. you can use /etc/passwd for SSH logins into your OS and LDAP authentication for Piwigo. I guess you can also configure LDAP authentication against separate servers or different groups for different applications.

I also like the LDAP auth support that comes with OwnCloud but developing and maintaining something like this for Piwigo comes at the cost of quite some effort. So far I do not see enough capable developers willing to contribute.

PAM on the other hand already comes with a full implementation of LDAP authentication. All we need is PAM support for Piwigo. I see three advantages of PAM:

a) It provides _full_ LDAP support (not just what the author of some Piwigo extension needed). This includes configurable user filters etc.
b) If we would have PAM support in Piwigo we could also use all kinds of other authentication methods supported by PAM without adding additional code to Piwigo. This might increases the user base of the Piwigo-PAM code and thus potentially increases the number of contributors.
c) Implementation shouldn't be too hard. Just hand over the credentials to PAM and get the ok/nok back. PAM should take care of the heavy lifting.

Let me know what you think,

Martin

Offline

 
  •  » Extensions
  •  » Webserver or PAM authentication plug-in?

Board footer

Powered by FluxBB

github twitter facebook google+ newsletter Donate Piwigo.org © 2002-2019 · Contact