[Freedombox-discuss] LDAP

Simo s at ssimo.org
Sat Dec 28 14:06:26 UTC 2013

On Fri, 2013-12-27 at 20:39 -0600, Nick Daly wrote:
> Simo <s at ssimo.org> writes:
> > On Fri, 2013-12-27 at 19:08 -0600, Nick Daly wrote:
> >> Time to do a lot of LDAP (or Kerberos, or...) learning.
> >
> > Do yourself a favor, nix their auth system and use apache modules,
> > mediawiki has a module to understand REMOTE_USER, so should other
> > services like that. Once you find one that understand REMOTE_USER you
> > can defer authentication compeltely to apache and not have to
> > learn/implement/tweak each single service in a different way.
> Could you clarify or point to an example of where this is used well?

I am not sure what you mean, but you can bet all cases where a x509 cert
is used for example, the auth is done in apache by mod_ssl or mod_nss
and the application trusts the REMOTE_USER environment variable.

> There're lots of results, but there's also a lot of chaff in those
> results.

Anything you want to know better ?

> Seems like ikiwiki's httpauth [0] respects REMOTE_USER, which seems
> ideal for the wiki service.  Now as long as everything else does the
> same...

Yeah, this I remembered which is why I suggested you to use REMOTE_USER,
it's at the same time a very low common denominator but also very
flexbile because all you need to change is the apache configuration and
not each single application, too bad modern time "web developers" forgot
about it and went full steam exclusively with form based authentication,
which shouldn't be nixed to be clear.

At the momoent I am actually working on an Identity provider project
that will be able to delegate to the Ido the actual authentication and
then using an apache module (unless you want to talk SAML directly)
perform actual auth for applications and fill in REMOTE_USER and
potentially other variables.

Once it has some better UI I will send you a link to it.


More information about the Freedombox-discuss mailing list