hello Koha developpers,
Biblibre guys had a meeting today about the ldap authentication in koha
because we're unable to use it against an Active Directory server.
So we read the code and the wiki, focusing on the "Bind-as-Auth vs.
$ldap->compare()" part.
As former ldap administrator, i'm a bit surprised about it because i think that
on many servers, the default acl makes the password readable only from
administrator and self objects. It make sense if you think that another
configuration can be compared to storing encrypted passwords in /etc/passwd
, making them wide readable (remember john? ;-)).
Another security issue against the compare method is that it doesn't respect
the auth acl written by the local administrator. As site admin, i would be
disapointed to see an account i've disabled using koha anyway.
Leaving the security issues, there is a large range of encryptions schemes and
the DSE informations about them are mandatory, we have to be carrefull about
schemes like {method}cypher forms, and so on. Imagine how hard it could be to
write a reliable code. I can be wrong but i think that it's just impossible for
AD as the encryption scheme isn't documented.
The wiki seems to tell that i'm not the first to come asking to change the auth
method. As the module author must have his reasons to use one method, you can
see that we have reasons to use the other. So it seems it would be usefull to
add a way to choose between those methods (for instance via xpath
//ldap/authmethod), keeping the current one as default.
regards
biblibre guys
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha.org
http://lists.koha.org/mailman/listinfo/koha-devel
