What form of auth?
I'd developing a website at the moment and am thinking about the best way for future users to populate the system with their own users. As it stands I have the following options:
1. Use the old-fashioned method of importing CSV or XML files, combined with manual additions.
2. Have a mini application which periodically uploads data to the site, which is installed on a machine in the user's network.
3. Implement Shibboleth, with an embedded discovery service
4. Use Radius, with Pear::Auth_RADIUS - meaning users can install a radius server on their network, and hook it up to whatever auth system they have in place, and expose that to my site for auth.
5. Use OpenZIS and SIF to import data from networks.
Now, each one has pros/cons, some are easier to implement than others and I suppose I could give users the option between different methods.
I am also thinking that I may want to combine 2 methods - such as using Shibboleth for auth SSO and SIF or a custom app for population of extra data (pupil year, class membership etc...).
However, what do people here think?
Radius would be better so users could use theor own ADUC/LDAP , but that's just me
I've been having a look at RADIUS and whilst it can handle the whole authentication aspect (ie. is the user logging in valid etc...) but it can't handle anything more than that, in terms of group membership, without trying to shoe-horn it into doing something it shouldn't. Also, RADIUS uses MD5 hashing as its method of securing data - which is inherently insecure.
1. To handle auth itself
2. To handle extra data, such as groups.
Problem I can see is that as it stands, there would be no link between users in method 1 and method 2.
How can I achieve this sensibly? A custom app? Getting the users to update the AD with an ID which links the MIS data to the AD itself? Kinda drawing a blank here!
Can you not just look up users in Active Directory? adLDAP is a good library for authenticating and getting group membership information.
I second AD as an option. It's what I use to auth our intranet/rewards/homework site. Additionally it runs an import for data from sims.
Would that not mean people having to expose their AD to the internet? Which is generally seen as a Bad Idea (TM)?
Originally Posted by webman
This isn't for a single school - this will be for multiple schools, all with their own users, but with the website being centrally hosted.
Oh right, I thought it was a locally-installable thing. So obviously no, adLDAP isn't going to be of any use at all :)