[dev] gollem authentification via Horde

Jon Parise jon@csh.rit.edu
Wed, 4 Jul 2001 15:19:20 -0400


On Wed, Jul 04, 2001 at 11:59:11AM -0700, Edwin Culp wrote:

> I tend to agree with René and Atif.  The flies in the ointment, IMO, are the
> incompatible authentication methods used by the different pop3, imap and
> ftp servers.  The only common denominator, or at least the easiest, is
> /etc/passwd.  Probably many/most of us are trying to evolve to another more 
> flexible method that works better with virtual domains and users. 
> Maybe that is where the real opportunity is.

Alright, I'm going to go ahead and clear all of this up.  I think
most of you guys have sort of run astray of the real issues here.

The idea behind a unified Horde login / authentication system
isn't really all that new.  Most of the pieces are currently
there (namely, the Auth hierarchy and the Registry).

The problem is holding onto the login credentials once the user
has been successfully authenticated via a Horde-level
authentication driver.  For example, suppose the user logs into
Horde via the LDAP driver.  We store a successful login "cookie"
(for lack of a better word) in the session so that all of the
other Horde applications know that the user has been
authenticated.  We also hang onto the username.

This allows applications like Kronolith, Turba, and Nag to farm
out the authentication code to Horde.  If Horde says the current
user has been authenticated, those applications take Horde's word
for it.

The problem arises when we look at applications like IMP or
Gollem.  Those applications require the web user to authenticate
themselves to a particular service (IMAP, FTP), which is why,
today, we perform an additional login procedure (i.e. another
login screen).

Theoretically, we could do away with those secondary login
screens and just use the Horde authentication system universally
if we stored the user's password in our authentication "cookie".
That way, the web user wouldn't be prompted to enter their
password again because the application could retrieve it from
their Horde session.

Storing passwords is a complicated ordeal.  We can't use a
one-way crypt because we need to, at some point, retrieve the
original password text intact.

The easiest thing to do would be to just store the password
plaintext in the session, but that's obviously the most insecure
method.  Another idea is to encrypt all of the passwords with a
Horde-wide key, but should that key fall into enemy hands, all of
the passwords are compromised.  

I believe Chuck proposed a pass phrase system, in which the user
enters their password for the authentication system and then
provides a pass phrase by which their credentials are encrypted.
This problem here is that the user would have to re-enter their
pass phrase in order to unlock their credentials whenever the
system requires them, and it also requires them to remember an
additional password string.

The other end of this solution involves storing the pass phrase
somewhere else, keeping the two keys separate, less they combine
to summon Gozar the Gozarian.

So those are the main points.  I suggest re-centering your
discussion based upon the above information.  Talk of unifying
your site's backend authentication system around an LDAP server,
while nice, is totally irrelevant from a Horde standpoint.

-- 
Jon Parise (jon@csh.rit.edu)  .  Rochester Inst. of Technology
http://www.csh.rit.edu/~jon/  :  Computer Science House Member


>From eculp@EnContacto.Net Date: Wed,  4 Jul 2001 13:03:03 -0700
Return-Path: <eculp@EnContacto.Net>
Mailing-List: contact dev-help@lists.horde.org; run by ezmlm
Delivered-To: mailing list dev@lists.horde.org
Received: (qmail 84358 invoked from network); 4 Jul 2001 20:03:04 -0000
Received: from adsl-63-205-16-205.dsl.mtry01.pacbell.net (HELO EnContacto.Net) (63.205.16.205)
  by horde.org with SMTP; 4 Jul 2001 20:03:04 -0000
Received: (from root@localhost)
	by EnContacto.Net (8.11.4/8.11.4) id f64K33F37247;
	Wed, 4 Jul 2001 13:03:03 -0700 (PDT)
	(envelope-from eculp@EnContacto.Net)
From: Edwin Culp <eculp@EnContacto.Net>
Received: from 63.205.16.202 ( [63.205.16.202])
	as user eculp@encontacto.net by Mail.SavvyWorld.Net with HTTP;
	Wed,  4 Jul 2001 13:03:03 -0700
Message-ID: <994276983.3b4376776206d@Mail.SavvyWorld.Net>
Date: Wed,  4 Jul 2001 13:03:03 -0700
To: dev@lists.horde.org, Atif Ghaffar <aghaffar@developer.ch>
References: <3B410B49.3E92756C@developer.ch> <994132061.3b41405d7904f@marina.horde.org> <3B41D564.55898F1F@developer.ch> <994170581.3b41d6d5d8458@jan.dip.ammma.net> <3B4204BD.CD56BD74@developer.ch> <994182858.3b4206ca5cc30@Mail.SavvyWorld.Net> <3B43297B.E0F6A39E@developer.ch>
In-Reply-To: <3B43297B.E0F6A39E@developer.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 2.3.7-cvs
X-Originating-IP: 63.205.16.202
Subject: Re: [dev] gollem authentification via Horde

I've stayed away from pam in general but I think I'm going to give it a try.
It will probably solve some/many/all of my pending integration issues.:-)  I
always tend to not add more variables to the equation but, what the heck.  It
still isn't operable:-)

Thanks,

ed

Quoting Atif Ghaffar <aghaffar@developer.ch>:

| Edwin Culp wrote:
| > 
| > Atif, would you mind sending your horde configuration just for the
| > /$conf['auth']['params'] = array();
| > for ldap.  I have a problem here.
| 
| Edwin, sorry I think, I got you confused.
| The information about the users is in the ldap.
| 
| For horde, conf['auth']['param'] is empty.
| in registry, I have 
| $this->registry['auth']['login'] = 'imp';
| $this->registry['auth']['logout'] = 'imp';
| 
| imp authentifies via the imap server, which authentifies via pam_ldap to
| the ldap server.
| 
| If you need help for this kind of setup, let me know.
| 
| cheers
| 
| -- 
| Atif Ghaffar
| Internet Development Manager
| 4unet AG/SA/Ltd.
| ---------------------------.
|           +41 21 351 53 60 ¦ voice
|           +41 79 659 89 72 ¦ mobile
|           +41 21 254 53 62 ¦ fax
|       http://www.4unet.net ¦ www
| http://www.atifghaffar.com ¦ homepage
|     atif.ghaffar@4unet.net ¦ email
| 
| -- 
| Horde Developers mailing list: http://horde.org/
| Frequently Asked Questions: http://horde.org/faq/
| To unsubscribe, mail: dev-unsubscribe@lists.horde.org
| 
| 


-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/