[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy by group

To: Michael Ströder <michael@stroeder.com>
Subject: Re: ppolicy by group
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Thu, 26 Jun 2008 12:49:12 +0200
Cc: Jeroen van Aart <kroshka@atypon.com>, openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <48637024.3020904@stroeder.com>
References: <48512965.7070504@zrmt.com> <200806261028.25138.bgmilne@staff.telkomsa.net> <48637024.3020904@stroeder.com>
User-agent: KMail/1.9.7

On Thursday 26 June 2008 12:32:04 Michael Ströder wrote:
> Buchan Milne wrote:
> > The biggest problem here is that not all software makes provision
> > for "authentication" to respond with anything besides "yes" or "no".
>
> Yupp.
>
> > I was trying to see if it would be feasible to add ppolicy support to
> > mod_auth_ldap (for apache), or Squid's mod_auth_ldap, but what HTTP code
> > should the authentication return (ideally one that would result in the
> > user being sent to a page suitable for that code - e.g. to change their
> > password) to apache? In the squid case, it looks initially like squid
> > needs a patch support any password expiry at all
> > (http://sarg.sourceforge.net/ncsaplus.php).
>
> Bear in mind that in a single password environmemt proxy authentication
> (like with Squid) is somewhat a security risk anyway since the password
> is transferred in clear over the wire to the proxy for each HTTP hit
> going through the proxy.

Unfortunately, however, it does not seem that there is any secure proxy 
authentication scheme for an entirely Unix environment (Mozilla on Unix as 
the client, Squid on Unix as the proxy server), even with Kerberos 
infrastructure in place.

> > I have also started discussions with some web application frameworks
> > (e.g. Catalyst).
>
> I'd rather recommend to use a decent WebSSO system and integrate web
> servers/applications with that central authentication component because
> when using centralized passwords you don't want to transmit the password
> to every integrated system. Rather in a SSO system system see only
> short-time tickets. I'm successfully using CAS for that in one customer
> project. It works pretty well and the developers are very responsive.

Indeed, but if you have existing applications on an existing framework that 
has LDAP support (we use SSL end-to-end), then it should have support for 
expiring passwords. Migrating to an SSO system would be an option, but I have 
many more features which have higher priority ... In this specific case, 
there are also advantages to the application having access to the clear-text 
password (as it can then be used with the logged-in users credentials to 
perform operations on other devices which authenticate against the same 
system, but have no SSO support).

> > Maybe it would be worthwhile making a list of which applications could
> > really do with password expiry support, and filing bugs on them for the
> > missing pieces?
>
> Not worth the effort for web access. Rather integrate with a WebSSO
> solution and handle the password policy stuff in a central place.

Yes and no. Either people should stop shipping web server authentication 
modules for LDAP, or they should have password policy support. Not having 
password policy support because you should use a different system is 
irrelevant IMHO.

Regards,
Buchan

Follow-Ups:
- Re: ppolicy by group
  - From: Michael Ströder <michael@stroeder.com>

References:
- Re: ppolicy by group
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: ppolicy by group
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: ppolicy by group
Next by Date: Re: ppolicy by group
Index(es):
- Chronological
- Thread