localzuk Posted June 25, 2011 Report Posted June 25, 2011 (edited) I'd developing a website at the moment and am thinking about the best way for future users to populate the system with their own users. As it stands I have the following options: 1. Use the old-fashioned method of importing CSV or XML files, combined with manual additions. 2. Have a mini application which periodically uploads data to the site, which is installed on a machine in the user's network. 3. Implement Shibboleth, with an embedded discovery service 4. Use Radius, with Pear::Auth_RADIUS - meaning users can install a radius server on their network, and hook it up to whatever auth system they have in place, and expose that to my site for auth. 5. Use OpenZIS and SIF to import data from networks. Now, each one has pros/cons, some are easier to implement than others and I suppose I could give users the option between different methods. I am also thinking that I may want to combine 2 methods - such as using Shibboleth for auth SSO and SIF or a custom app for population of extra data (pupil year, class membership etc...). However, what do people here think? Edited June 25, 2011 by localzuk
featured_spectre Posted June 25, 2011 Report Posted June 25, 2011 Radius would be better so users could use theor own ADUC/LDAP , but that's just me
localzuk Posted June 26, 2011 Author Report Posted June 26, 2011 I've been having a look at RADIUS and whilst it can handle the whole authentication aspect (ie. is the user logging in valid etc...) but it can't handle anything more than that, in terms of group membership, without trying to shoe-horn it into doing something it shouldn't. Also, RADIUS uses MD5 hashing as its method of securing data - which is inherently insecure. I'm thinking Shibboleth will be the same in terms of user auth (but not security), so it looks to me like I am going to need 2 systems - 1. To handle auth itself 2. To handle extra data, such as groups. Problem I can see is that as it stands, there would be no link between users in method 1 and method 2. How can I achieve this sensibly? A custom app? Getting the users to update the AD with an ID which links the MIS data to the AD itself? Kinda drawing a blank here!
webman Posted June 27, 2011 Report Posted June 27, 2011 Can you not just look up users in Active Directory? adLDAP is a good library for authenticating and getting group membership information.
saundersmatt Posted June 27, 2011 Report Posted June 27, 2011 I second AD as an option. It's what I use to auth our intranet/rewards/homework site. Additionally it runs an import for data from sims. Matt
localzuk Posted June 27, 2011 Author Report Posted June 27, 2011 Can you not just look up users in Active Directory? adLDAP is a good library for authenticating and getting group membership information. Would that not mean people having to expose their AD to the internet? Which is generally seen as a Bad Idea ? This isn't for a single school - this will be for multiple schools, all with their own users, but with the website being centrally hosted.
webman Posted June 27, 2011 Report Posted June 27, 2011 Oh right, I thought it was a locally-installable thing. So obviously no, adLDAP isn't going to be of any use at all
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now