Support Forums - All Posts - XOOPS Web Application System

11

Re: Login users using NIS server

2004/8/17 7:57
mercibe
Just popping in
Posts: 55
Since: 2003/6/12

Hi again Sunita,

You will have to use PAM to authenticate your IMAP users too. Have a look at how your IMAP server can authenticate users. It is really server dependant.

Concerning security: if you are running inside a corporate network with no access to the Internet a NIS server properly configured would be definitively secure enough !!!

But PAM is indeed much powerfull and flexible. The problem is that the PHP pam_auth does not seems to be as flexible (reading the doc - never tried so I might be wrong).

Another remark: if you use PAM and you make your password travel in clear over the network (without HTTPS for XOOPS for instance or with IMAP), you will weaken the security of all your infrastructure. If the authentication repository behind your PAM module is known to be secure, it won't be anymore... Take care of what you are doing and think that the security level is defined by the weakest part of the architecture.

Hope this will help you to make the right choices according to your needs and requirements.

Benoit

12

Re: Login users using NIS server

2004/8/17 7:45
mercibe
Just popping in
Posts: 55
Since: 2003/6/12

If you work with a Debian, an "apt-get install php-yp" should be sufficient to make PHP NIS aware! It should be almost the same with any "rpm" compliant distribution. But your administrator might prefer to compile PHP by himself instead of using packages...

I am not sure either if it will be easier to switch to PAM ! The only way I can see today to achieve such integration is via the simple php pam_auth module you can find here:
http://www.math.ohio-state.edu/~ccunning/pam_auth/

But it might take you time to make it work (and require a new XOOPS module to integrate it smoothly with Xoops). An interesting one to write one of these days

But my main concern is: if you switch to PAM for PHP, you will have to do the same for your IMAP server. That means that all of your users will have to use another login/password, unless you are using the same authentication repository for the pam module and NIS.

What is the EXACT goal you want to achieve ???

Best regards,

Benoit

13

Re: Login users using NIS server

2004/8/17 7:19
mercibe
Just popping in
Posts: 55
Since: 2003/6/12

Hi,

This is exactly the goal of the NIS login module ! The goal of the Authentication Service hack is to externalise the authentication process. Your users has simply to use their NIS login/password to login to XOOPS once this module has been enabled. If the user connects for the first time a XOOPS user account will be automatically created based on the information find via NIS: username, full name (gecos info), etc. The only missing part right now is the mail address. If the mail address can be derived from either the username or the gecos, it is trivial to implement.

With the NIS and LDAP module you can even allow pure XOOPS users and NIS/LDAP users to loging to your XOOPS site.

Best regards,

Benoit

14

Re: Login users using NIS server

2004/8/13 11:17
mercibe
Just popping in
Posts: 55
Since: 2003/6/12

Done and ... tested (On a Debian box with XOOPS 2.0.6) ! Thanks to you I learned NIS and was successful in installing a master server, a slave and a client. I seems to me a very insecure way to authenticate users, but I am a difficult man to satisfy

You can download a first beta version of a NIS authentication module: http://sourceforge.net/tracker/download.php?group_id=41586&atid=430842&file_id=97570&aid=945237

Steps to start using it:
- apply the Pluggable Authentication Hack (https://xoops.org/modules/newbb/viewtopic.php?forum=14&topic_id=19401)
- test it with default XOOPS module
- download nis.php (http://sourceforge.net/tracker/download.php?group_id=41586&atid=430842&file_id=97570&aid=945237) and copy under /include/authenticationservices
- adapt the parameters in nis.php (nis domain name, the salt and the way to get mail address for your users - optional)
- modify mainfile.php to use nis instead of XOOPS module for authenticating users.
- test...

No time to polish now but it WORKS. I commented some debug code. Feel free to uncomment in case of trouble

Regards,

Benoit

15

Re: Login users using NIS server

2004/8/13 5:19
mercibe
Just popping in
Posts: 55
Since: 2003/6/12

Hi,

If you are successfuly implementing the NIS authentication through a new "nis" module for the Authentication Service, you can let your users using the same login/password that they used to use with NIS enabled applications.

Unfortunately I do not have a NIS infrastructure available neither at home nor at work. The best I could try to do is to provide you with a version developped in a "blind" way without any possibility to test it and without any experience with NIS...

Does anybody out there have an experience with NIS authentication and have some PHP experience ?

If I can find some time today (GMT+1), I will try to provide you with something but it is a difficult exercice

Best regards,

Benoit

16

Re: strong authentication

2004/8/11 8:21
mercibe
Just popping in
Posts: 55
Since: 2003/6/12

Hi,

Did you succeed in making XOOPS authenticate users via X509 certificates or did you change your mind ?

Since I am preparing a new pluggable way to authenticate XOOPS users I am interested by any experience in that field.

Thank you in advance.

Best regards,

Benoit

17

Re: Login users using NIS server

2004/8/11 8:16
mercibe
Just popping in
Posts: 55
Since: 2003/6/12

Hi,

I have never worked with NIS, but in theory you shoud be able to develop a new Authentication module for NIS. The Authentication Service is a hack that will be included very soon in the XOOPS kernel (https://xoops.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=19401&forum=14).

If have already achieved more or less the same "single sign on" and strong password policy with CAS (Yale University).

The question for which I do not have an answer today is how to check the session or login/password of a NIS user. I found something interesting in the Mantis source code.

     # Mantis - a php based bugtracking system 
    # Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org 
    # Copyright (C) 2002 - 2004  Mantis Team   - mantisbt-dev@lists.sourceforge.net 
    # This program is distributed under the terms and conditions of the GPL 
    # See the README and LICENSE files for details 
 
    # -------------------------------------------------------- 
    # $Id: nis_api.php,v 1.2 2004/07/05 16:50:30 ghenshaw Exp $ 
    # -------------------------------------------------------- 
 
    ########################################################################### 
    # NIS API 
    ########################################################################### 
     
    # -------------------- 
    # Attempt to authenticate the user against the NIS directory 
    #  return true on successful authentication, false otherwise 
    # this really belongs in a separate module, but this is convenient 
    function nis_authenticate( $p_user_id, $p_password ) { 
        $t_authenticated = false; 
        $t_username         = user_get_field( $p_user_id, 'username' ); 
        $t_domain_list = config_get( 'nis_domains', yp_get_default_domain() ); 
        $t_domain_arr = split( ',', $t_domain_list ); 
        foreach ($t_domain_arr as $t_domain) { 
            $t_entry = @yp_match($t_domain, "passwd.byname", $t_username); 
            // echo "" . $t_username."/" . $p_password . " matched entry is: " . $t_entry; 
            if($t_entry){ 
                list($user,$t_pass,$uid,$gid,$gecos,$home,$shell) = explode(":", $t_entry); 
                // echo " 
salt = ".substr($t_pass, 0, 2); 
                if($t_pass == crypt($p_password, substr($t_pass, 0, 2))){ 
                    // echo "
password matched"; 
                    $t_authenticated = true; 
                }else{ 
                    // echo "
password failed"; 
                } 
            }else{ 
                // echo "

match failed"; } } return $t_authenticated; } ?>

I suggest you clone the ldap authentication module (/include/authenticationservice/ldap.php) and simply replace/adapt the authentication code with this one. It should be rather easy to make it run. To get these functions (yp_*) to work, you have to configure PHP with --enable-yp

I hope this will help.

Please give us some feedback: a new working NIS module for XOOPS would be nice to have !

Best regards,

Benoit

18

Re: integrated FCKEditor with next XOOPS

2004/8/5 8:28
mercibe
Just popping in
Posts: 55
Since: 2003/6/12

Nice to know. I may sound stupid but where can I find this "version" ? Is it a kernel modification, a new set of modules, etc. ???

Benoit

19

Re: integrated FCKEditor with next XOOPS

2004/8/4 20:34
mercibe
Just popping in
Posts: 55
Since: 2003/6/12

Good news !

Where can I find more information on the way this goal will be achieved and how to contribute by developing new "integrations" of WYSIWYG editor in the coming weeks?

Thank you !

Benoit

20

Re: LDAP authentication

2004/8/3 5:49
mercibe
Just popping in
Posts: 55
Since: 2003/6/12

This hack allows you to authenticate your XOOPS users from an external LDAP repository. By default XOOPS authenticates users with passwords stored in the XOOPS MySQL database. By externalising the authentication process as explained in this hack and in a much better way in https://xoops.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=19401&forum=14
you could easily integrate XOOPS in an existing "authentication" infrastructure. Most companies are using an LDAP directory server (Active Directory, eDirectory, etc.) or another kind of centralised authentication server to authenticate their users centrally in a product "independant" way.

Hope this short explanation will help you to get the global picture...

Benoit

Stats
Goal:	AU$15.00
Due Date:	Jul 31
Gross Amount:	AU$0.00
Net Balance:	AU$0.00
Left to go:	AU$15.00

Forum Index

Re: Login users using NIS server

Re: Login users using NIS server

Re: Login users using NIS server

Re: Login users using NIS server

Re: Login users using NIS server

Re: strong authentication

Re: Login users using NIS server

Re: integrated FCKEditor with next XOOPS

Re: integrated FCKEditor with next XOOPS

Re: LDAP authentication

Login

Search

Recent Posts

RPGStash - Best site to Buy Dune Awakening Items

Re: New module: Smartshare

SmartLike (coming)

Re: New module: Weather

Re: XOOPS Custom Field Module

Re: XOOPS Custom Field Module

XOOPS Custom Field Module

Re: New module: Smartshare

Re: New module: Weather

Re: New module: Weather

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}