[PATCH] Adding external authentication to Issabel

[marcogaio]

I've produced a patch/POC to enable in Issabel authentication using external sources. This patch is working in my production environment, but clearly need work to be integrated.

First patch modify login input, because i've not found a way to pass to authenticateUser() the non-md5 password; probably this is a big security hole (i suspect that the plaintext password is then saved to session cookie...) but it works.

index.php.diff.txt

Second patch modify authenticateUser() decoupling check for user existance in the db for the effective password check; i've addedd an LDAP/AD password check and an example, untested, code to login to an POP/IMAP server. Last i've keeped the original code that check against md5 password on the DB.

paloSantoACL.class.php.diff.txt

I'm seeking feedback, expecially for the security things.

Thanks.

[marcogaio]

Still seeking feedback on that.

[asternic]

Hi Marco, thanks for contribution. Adding external auth will require the password to be sent to the respective functions cleartext as we won't know if the external method hashing algorithm if any. So I see no objections in that regard.

Now as per the ACL class modification, this would need to be expanded so you can plug methods somehow instead of hardcoding them straight on the .class file. So this would require a bit of extra effort to have a pluggable way to add external authentications.

One last note, it is not sufficient with authentication, Issabel also has authorization (user levels, groups restrictions), and that is not covered with this method, so I am not sure how to handle that.

[marcogaio]

Hi Marco, thanks for contribution. Adding external auth will require the password to be sent to the respective functions cleartext as we won't know if the external method hashing algorithm if any. So I see no objections in that regard.

OK.

Now as per the ACL class modification, this would need to be expanded so you can plug methods somehow instead of hardcoding them straight on the .class file. So this would require a bit of extra effort to have a pluggable way to add external authentications.

Sure; for that i think this is more a POC then a patch...

One last note, it is not sufficient with authentication, Issabel also has authorization (user levels, groups restrictions), and that is not covered with this method, so I am not sure how to handle that.

Oh, sure; problem can be complicated as desired; but many tools use an practical approach, and instead adding the full complexity of the problem from the ground, start with:

• authorization (my patch)
• import of groups/roles from external source
• sync of groups/roles from external source
• ...

It is not needed to start all from the ground to a fully functional setup, can be implemented a layer at a time. This approach for example is use in different way by GLPI (https://glpi-user-documentation.readthedocs.io/fr/latest/modules/configuration/authentication/ldap.html) or NextCloud (https://docs.nextcloud.com/server/latest/admin_manual/configuration_user/user_auth_ldap.html).

Please, consider this. And if needed i can provide some help, at least for testing the code.

Thanks.