On Fri, 2013-12-27 at 19:08 -0600, Nick Daly wrote: > Bdale Garbee <[email protected]> writes: > > > Jonas Smedegaard <[email protected]> writes: > > > >> Ok. Makes good sense to mandate use of shared auth mechanism. Not > >> convinced LDAP is the ideal for that, though. > > > > ...Clearly not critical path, but this is another possible task for > > someone out there reading who would like a modest project that could > > help us out in the long term. > > > > What I think we can effectively use LDAP for is to manage the information > > associated with identities. Users, what access rights they should have, > > etc, in an application-neutral way that we can potentially wrap some > > plinth UI goodness around eventually. > > It should also be possible to use these sorts of ACLs to create > application-specific data-stores (among other things, to keep > applications from snooping on one another's data). Keeping data > separated is a related, but different, issue from the problem of > separating processes ("the LXC/VM issue"). > > So, does anybody know any good LDAP-enabled services we can use? I > tried to move a wiki service into Plinth (ikiwiki, via [0]), but > immediately ran into the problem that ikiwiki knows nothing about > authentication mechanisms other than its own. I'm checking on the > ikiwiki IRC channel and their forums, but very few wiki services (other > than MediaWiki, which feels like overkill) are aware of LDAP. > > Time to do a lot of LDAP (or Kerberos, or...) learning.
Do yourself a favor, nix their auth system and use apache modules, mediawiki has a module to understand REMOTE_USER, so should other services like that. Once you find one that understand REMOTE_USER you can defer authentication compeltely to apache and not have to learn/implement/tweak each single service in a different way. Simo. _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
