11
mercibe
Re: Login users using NIS server
  • 2004/8/17 7:57

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Hi again Sunita,

You will have to use PAM to authenticate your IMAP users too. Have a look at how your IMAP server can authenticate users. It is really server dependant.

Concerning security: if you are running inside a corporate network with no access to the Internet a NIS server properly configured would be definitively secure enough !!!

But PAM is indeed much powerfull and flexible. The problem is that the PHP pam_auth does not seems to be as flexible (reading the doc - never tried so I might be wrong).

Another remark: if you use PAM and you make your password travel in clear over the network (without HTTPS for XOOPS for instance or with IMAP), you will weaken the security of all your infrastructure. If the authentication repository behind your PAM module is known to be secure, it won't be anymore... Take care of what you are doing and think that the security level is defined by the weakest part of the architecture.

Hope this will help you to make the right choices according to your needs and requirements.

Benoit



12
mercibe
Re: Login users using NIS server
  • 2004/8/17 7:45

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12



If you work with a Debian, an "apt-get install php-yp" should be sufficient to make PHP NIS aware! It should be almost the same with any "rpm" compliant distribution. But your administrator might prefer to compile PHP by himself instead of using packages...

I am not sure either if it will be easier to switch to PAM ! The only way I can see today to achieve such integration is via the simple php pam_auth module you can find here:
http://www.math.ohio-state.edu/~ccunning/pam_auth/

But it might take you time to make it work (and require a new XOOPS module to integrate it smoothly with Xoops). An interesting one to write one of these days

But my main concern is: if you switch to PAM for PHP, you will have to do the same for your IMAP server. That means that all of your users will have to use another login/password, unless you are using the same authentication repository for the pam module and NIS.

What is the EXACT goal you want to achieve ???

Best regards,

Benoit



13
mercibe
Re: Login users using NIS server
  • 2004/8/17 7:19

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Hi,

This is exactly the goal of the NIS login module ! The goal of the Authentication Service hack is to externalise the authentication process. Your users has simply to use their NIS login/password to login to XOOPS once this module has been enabled. If the user connects for the first time a XOOPS user account will be automatically created based on the information find via NIS: username, full name (gecos info), etc. The only missing part right now is the mail address. If the mail address can be derived from either the username or the gecos, it is trivial to implement.

With the NIS and LDAP module you can even allow pure XOOPS users and NIS/LDAP users to loging to your XOOPS site.

Best regards,

Benoit





14
mercibe
Re: Login users using NIS server
  • 2004/8/13 11:17

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Done and ... tested (On a Debian box with XOOPS 2.0.6) ! Thanks to you I learned NIS and was successful in installing a master server, a slave and a client. I seems to me a very insecure way to authenticate users, but I am a difficult man to satisfy

You can download a first beta version of a NIS authentication module:http://sourceforge.net/tracker/download.php?group_id=41586&atid=430842&file_id=97570&aid=945237

Steps to start using it:
- apply the Pluggable Authentication Hack (https://xoops.org/modules/newbb/viewtopic.php?forum=14&topic_id=19401)
- test it with default XOOPS module
- download nis.php (http://sourceforge.net/tracker/download.php?group_id=41586&atid=430842&file_id=97570&aid=945237) and copy under /include/authenticationservices
- adapt the parameters in nis.php (nis domain name, the salt and the way to get mail address for your users - optional)
- modify mainfile.php to use nis instead of XOOPS module for authenticating users.
- test...

No time to polish now but it WORKS. I commented some debug code. Feel free to uncomment in case of trouble

Regards,

Benoit





15
mercibe
Re: Login users using NIS server
  • 2004/8/13 5:19

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Hi,

If you are successfuly implementing the NIS authentication through a new "nis" module for the Authentication Service, you can let your users using the same login/password that they used to use with NIS enabled applications.

Unfortunately I do not have a NIS infrastructure available neither at home nor at work. The best I could try to do is to provide you with a version developped in a "blind" way without any possibility to test it and without any experience with NIS...

Does anybody out there have an experience with NIS authentication and have some PHP experience ?

If I can find some time today (GMT+1), I will try to provide you with something but it is a difficult exercice

Best regards,

Benoit



16
mercibe
Re: strong authentication
  • 2004/8/11 8:21

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Hi,

Did you succeed in making XOOPS authenticate users via X509 certificates or did you change your mind ?

Since I am preparing a new pluggable way to authenticate XOOPS users I am interested by any experience in that field.

Thank you in advance.

Best regards,

Benoit



17
mercibe
Re: Login users using NIS server
  • 2004/8/11 8:16

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Hi,

I have never worked with NIS, but in theory you shoud be able to develop a new Authentication module for NIS. The Authentication Service is a hack that will be included very soon in the XOOPS kernel (https://xoops.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=19401&forum=14).

If have already achieved more or less the same "single sign on" and strong password policy with CAS (Yale University).

The question for which I do not have an answer today is how to check the session or login/password of a NIS user. I found something interesting in the Mantis source code.


<?php
    
# Mantis - a php based bugtracking system
    # Copyright (C) 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
    # Copyright (C) 2002 - 2004  Mantis Team   - mantisbt-dev@lists.sourceforge.net
    # This program is distributed under the terms and conditions of the GPL
    # See the README and LICENSE files for details

    # --------------------------------------------------------
    # $Id: nis_api.php,v 1.2 2004/07/05 16:50:30 ghenshaw Exp $
    # --------------------------------------------------------

    ###########################################################################
    # NIS API
    ###########################################################################
    
    # --------------------
    # Attempt to authenticate the user against the NIS directory
    #  return true on successful authentication, false otherwise
    # this really belongs in a separate module, but this is convenient
    
function nis_authenticate$p_user_id$p_password ) {
        
$t_authenticated false;
        
$t_username         user_get_field$p_user_id'username' );
        
$t_domain_list config_get'nis_domains'yp_get_default_domain() );
        
$t_domain_arr split','$t_domain_list );
        foreach (
$t_domain_arr as $t_domain) {
            
$t_entry = @yp_match($t_domain"passwd.byname"$t_username);
            
// echo "<p>" . $t_username."/" . $p_password . " matched entry is: " . $t_entry;
            
if($t_entry){
                list(
$user,$t_pass,$uid,$gid,$gecos,$home,$shell) = explode(":"$t_entry);
                
// echo " <p>salt = ".substr($t_pass, 0, 2);
                
if($t_pass == crypt($p_passwordsubstr($t_pass02))){
                    
// echo "<p>password matched";
                    
$t_authenticated true;
                }else{
                    
// echo "<p>password failed";
                
}
            }else{
                
// echo "<p>match failed";
            
}
        }

        return 
$t_authenticated;
    }
    
?>


I suggest you clone the ldap authentication module (/include/authenticationservice/ldap.php) and simply replace/adapt the authentication code with this one. It should be rather easy to make it run. To get these functions (yp_*) to work, you have to configure PHP with --enable-yp

I hope this will help.

Please give us some feedback: a new working NIS module for XOOPS would be nice to have !

Best regards,

Benoit




18
mercibe
Re: integrated FCKEditor with next XOOPS
  • 2004/8/5 8:28

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Nice to know. I may sound stupid but where can I find this "version" ? Is it a kernel modification, a new set of modules, etc. ???

Benoit



19
mercibe
Re: integrated FCKEditor with next XOOPS
  • 2004/8/4 20:34

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


Good news !

Where can I find more information on the way this goal will be achieved and how to contribute by developing new "integrations" of WYSIWYG editor in the coming weeks?

Thank you !

Benoit



20
mercibe
Re: LDAP authentication
  • 2004/8/3 5:49

  • mercibe

  • Just popping in

  • Posts: 55

  • Since: 2003/6/12


This hack allows you to authenticate your XOOPS users from an external LDAP repository. By default XOOPS authenticates users with passwords stored in the XOOPS MySQL database. By externalising the authentication process as explained in this hack and in a much better way inhttps://xoops.org/modules/newbb/viewtopic.php?viewmode=flat&topic_id=19401&forum=14
you could easily integrate XOOPS in an existing "authentication" infrastructure. Most companies are using an LDAP directory server (Active Directory, eDirectory, etc.) or another kind of centralised authentication server to authenticate their users centrally in a product "independant" way.

Hope this short explanation will help you to get the global picture...

Benoit




TopTop
« 1 (2) 3 4 5 6 »



Login

Who's Online

186 user(s) are online (92 user(s) are browsing Support Forums)


Members: 0


Guests: 186


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits