[Tickets #10980] Re: Create the possibility of two alternative authentication modules

bugs at horde.org bugs at horde.org
Mon Feb 13 10:26:19 UTC 2012


DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/10980
------------------------------------------------------------------------------
  Ticket             | 10980
  Updated By         | c.denis at mrduck.fr
  Summary            | Create the possibility of two alternative
                     | authentication modules
  Queue              | Horde Framework Packages
  Version            | Git master
  Type               | Enhancement
  State              | Feedback
  Priority           | 1. Low
  Milestone          |
  Patch              | 1
  Owners             |
------------------------------------------------------------------------------


c.denis at mrduck.fr (2012-02-13 10:26) wrote:

The idea to allow an arbitrary number of authentication modules (in an  
array for example) appeals to me:
$conf['auth']['driver'] = 'multiple_auth';
$conf['auth']['params']['subriver'] = array('module1' , 'module2' ,  
'module3', ... )
But I see a Problem to nicely define the parameters to the subsequent  
modules, which would need to look something like the following  
incredibly long and complex line (nothing like the usual config style):
$conf['auth']['params']['subriver-conf'] = array('module1' =>  
array('table' => horde_users', 'username_field' => 'user',... ),  
'module2' => array(), 'module3' => array());
Something like this can be realised by using this module multiple  
times and adding one authentication module per layer.

> But this would be a very simple looping idea: the  
> 'single_validation' config could not be a part of this.
I do not need this single_validation and added it in the hope to make  
it more general :) If there was to be a driver to choose from multiple  
authentication modules, one might as well want to validate the login  
in the local password cache, but get it confirmed by a befriended  
organisation. (external co-worker, who quits the organisation which  
dispatched him to my organisation, would see his account revoked or  
blocked)

The one-time-password module I am working on, will only be published  
here soon. Though it would be possible to force users to always use a  
single-use password, I picture the use-case, where I have the  
permanent password saved in my browser on a trusted machine at home  
and only use the otp scheme when I am at an airport terminal. Using  
such an 'alternative' module would allow to use either authentication  
module without modifying the flow of the login mechanism.

> (not to mention that this driver is lacking all details on how the  
> admin auth methods would work)
This is because there already is a module providing this  
functionality: composite
My previous configuration example illustrates how these two modules  
would be combined to provide for admin methods and additionally allow  
multiple authentication modules.

I concede this could as well be implemented as an extention of the  
existing composite module. Would that seem more useful to you?





More information about the bugs mailing list