(Illustration by Gaich Muramatsu)
"S. Cance" <stephane.cance_at_enst-bretagne.fr> writes: > I'm working on a network where every services use LDAP to > authenticate users. That's why I am working on a LDAP based clog > utility. > > I'am trying to do things right, so that it can be used by others. I > don't know if this is of any kind of interest to the Coda users. > Using LDAP is prety easy since we just have to bind to the LDAP > server using a given username & password to check if we are > authorised. That may not be enough for coda; that only addresses part of what tokens do. > Still, the source code is quite complicated and I could use a hand > on some of my questions : > - are ACLs checker(s) only based on tokens, or do they make > references to the user database ? > what I mean here is : do I have to create a new user in pdbtool for > each of the users in the LDAP database ? > If I do, is it possible to check if a user exists in the server > database without using any password ? I'm not sure. I think it's mostly about tokens. > - I see in U_BindToServer (line 325 of > coda/coda-src/auth2/auser.c) a loop on each of the auth > servers. while using LDAP there is only one LDAP server, do the > tokens have to be registered to each servers or is it that the > tokens are stored on the client and sent to the servers at each > requests if needed ? Tokens are sent by clients; it's like kerberos. > - I am not sure where the token is generated, I don't really get > the whole token system in fact, if it is generated by the client > wouldn't that be a security issue ? So if it generated by the server, > LDAP auth doesn't seems that easy :( I suggest looking at the Kerberos 5 code. Clients use kerberos to authenticate to the auth server and receive a token which is then used the same way. > do you think it is usefull to create a whole new way to authenticate > users, or should I create a tool to synchronize coda user database > with the ldap ? If you are using LDAP for everything, then it's probably best to have coda use it. The problem is that LDAP isn't really an authentication service, but a directory service, and sending user/password around for servers to verify is a bit scary. But that's separate from how coda should be integrated. I think the real difficulty will be that the token creation/distribution process is really authenticated key exchange, where a user ends up with a crypto token that only he has, and the server is sure that it's the right user. If LDAP is only giving you the ability to check a username/pw, then I don't see any mechanisms for confidentiality protection for the keys in the tokens.Received on 2007-03-07 14:11:19