Radicore Forum - RDF feed
https://forum.radicore.org/index.php
RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=352&th=115#msg_352
I have just come across RADICORE and am not a coder but an IT administrator. I have searched the RADICORE and Marston sites, and the Forums for 'LDAP', but have found very few references.
LDAP is often used for something similar to RBAC, and many web applications implement some form of LDAP support for access and control.
What is the relationship between, or potential relationship between, RADICORE's Menu and Security sytem and a directory that implements an LDAP interface (such as Active Directory)?
Thanks
Dennis
]]>dennisj2006-11-01T22:42:18-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=353&th=115#msg_353
The problem with a web application is that it only knows what the web browser sends it, and the web browser has no way of obtaining the client's LDAP details and sending them to the web server. There is no way that an application running on a web server has access to whatever LDAP system is being used on the client, so I think any relationship between Radicore and LDAP would not achieve anything useful.
]]>AJM2006-11-01T23:08:51-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=354&th=115#msg_354
Thanks for the response.
I have minimal experience with LDAP and Web applications.
1/. Moodle http://moodle.org a php MySQL learning management system. If you turn on LDAP authentication, and point the Moodle application at your LDAP server, then, when a user clicks to logon, it takes the entered credentials and asks the LDAP server, over an LDAP connection, whether that user is allowed to proceed.
2/. An apache server can have the mod_auth_kerb module installed http://modauthkerb.sourceforge.net/ . "Mod_auth_kerb is an Apache module designed to provide Kerberos authentication to the Apache web server. Using the Basic Auth mechanism, it retrieves a username/password pair from the browser and checks them against a Kerberos server as set up by your particular organization." The Kerberos connection can talk to an LDAP server.
Because there is a bit of pressure to centralise identity and permissions management in an LDAP server, it would be great if there was some way for your security system to interact with LDAP.
The abstract reads...
This paper gives a framework for how to leverage Lightweight Direc-
tory Access Protocol (LDAP) to implement Role-based Access Control
(RBAC) on the Web in the server-pull architecture. LDAP-based di-
rectory services have recently received much attention because they can
support object-oriented hierarchies of entries in which we can easily
search and modify attributes over TCP/IP. To implement RBAC on
the Web, we use an LDAP directory server as a role server that con-
tains users' role information. The role information in the role server is
referred to by Web servers for access control purposes through LDAP
in a secure manner (over SSL). We provide a comparison of this work
to our previous work, RBAC on the Web in the user-pull architecture.
Dennis
]]>dennisj2006-11-02T07:16:29-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=355&th=115#msg_355
Even if I could use LDAP to provide a user's login identity I certainly would not use it as a replacement for my RBAC system. LDAP knows nothing of my user roles and tasks and knows nothing about assigning tasks to roles.
You may have read somewhere that using LDAP is "cool", but unless you know and understand the technicalities you will not realise that it also has its down side.]]>AJM2006-11-02T09:47:02-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=356&th=115#msg_356
I don't think I was suggesting a replacement of your RBAC system with LDAP, more suggesting something along the lines of using an LDAP server instead of an SQL server for the data that relates to users and roles. I think you mentioned that you have DAO's to facilitate Database independence for the RADICORE system. A custom DAO that talks LDAP not SQL -for user and role information- might theoretically be possible.
However, I can see that the question of assigning tasks to roles in LDAP would not necessarily be entirely straight forward.
But I think the main point here is not the single-sign-on sharing of operating system credentials, but the concentration of identity and role management in one place, an LDAP enabled server, so a large part of this identity data does not have to be duplicated in two different places.
Dennis]]>dennisj2006-11-03T09:56:55-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=357&th=115#msg_357
LDAP may be "cool" but it is also impractical.]]>AJM2006-11-03T10:19:20-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=358&th=115#msg_358
Leaving aside the question of using LDAP as the base user database, I wonder what your suggestion would be for a organisation that currently has all its users, passwords, and group permissions stored in an LDAP server? If the organisation was interested in RADICORE, what approach to user management would you suggest?
Is there some way of synchronising the user names and passwords between RADICORE and LDAP? Or would you just have to maintain two separate, duplicate user name and password databases? Or is there some other alternative?
Dennis.]]>dennisj2006-11-05T21:27:52-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=359&th=115#msg_359
If you absolutely need an LDAP interface then you could always get one of your own programmers to write one, but I wouldn't be prepared to guarantee the results.
When you consider all the other features that the Radicore framework has to offer, the lack of an LDAP interface is pretty insignificant.]]>AJM2006-11-05T21:49:17-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=1576&th=115#msg_1576
I was concerned about how to use LDAP authentication with Radicore, it seems important for business to have only one authentication method for it's computer systems.
PHP provides interfaces for LDAP, I think it could be used for develop an asynchronic interfase between LDAP and Radicore, wich could permit to import LDAP users to Radicore's menu system, something like Openfire has implemented, it allows to user select the authentication method, propietary or LDAP.
Do you think it's possible for Radicore's future versions??]]>edortizq2008-08-27T15:42:09-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=1577&th=115#msg_1577
Single Factor, which is the default, which uses the user_id and password on the MNU_USER table.
As I have never used an LDAP service, nor have access to one, I would have nothing to test against.]]>
AJM2008-08-27T16:28:39-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=1578&th=115#msg_1578
Or, you can import users from LDAP database and write them as read only in your menu system (for certain fields), then those users can be part of the RBAC system the same way you work it now.
You can find an attached script for connect and recover atributes and values from ldap database, it works for OpenLdap and W2K Active Directory.
If you can't get access to a Ldap connection, let me know, I could ask for some friend and maybe (just maybe) get access for test purposes.
]]>edortizq2008-08-27T21:31:51-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=1579&th=115#msg_1579
AJM2008-08-27T22:00:13-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=1585&th=115#msg_1585
edortizq2008-08-28T18:19:14-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=1586&th=115#msg_1586
Using an LDAP database in place of Radicore's MENU database simply won't work, so it won't happen.]]>AJM2008-08-28T19:08:24-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=1589&th=115#msg_1589
http://directory.apache.org/) so I will be able to implement LDAP authentication similar to what I have already done with RADIUS authentication.
In this way the user will still have an entry on the MNU_USER table, but the password will be authenticated against the LDAP server. The user_password field on the MNU_USER table will therefore be irrelevant.
This will be available (hopefuly) in release 1.40.0]]>AJM2008-08-31T13:31:41-00:00Re: RBAC and LDAP
https://forum.radicore.org/index.phpindex.php?t=rview&goto=1590&th=115#msg_1590
]]>edortizq2008-08-31T20:54:03-00:00