[Admin-discuss] Web Forums - Authentication and Security

Andrew Harford andrew.harford at redbrick.dcu.ie
Fri Apr 23 22:41:15 IST 2010


On Fri, Apr 23, 2010 at 10:23:39PM +0100, Cian Brennan wrote:
> On Fri, Apr 23, 2010 at 10:17:49PM +0100, Sean wrote:
> > Hi
> > 
> > As you may have heard, the committee are optioning installing a web based
> > forum for their users to use for discussing various topics, much like the
> > existing nntp based boards.
> > 
> > The type of forum will most likely be vBulletin, though PHPBB and SMF
> > haven't been completely written off.
> > 
> Redbrick should not pay for software, if there are free alternatives anything
> as good.

My preference would also be to not pay for software. Lots of people seem 
to be pretty happy with SMF, I'm not aware of any important features it 
would be lacking.
 
> > The issue is how to manage user authentication.
> > 
> > The board will probably be going behind pubcookie. While this makes it less
> > convenient for the users, there are benefits of privacy and additional
> > security.
> > 
> > Two options were suggested for user management on the board itself.
> > 
> > The first would be to install a quick plug in to allow authentication from
> > though LDAP. User accounts would be created automatically. This seems
> > relatively straightforward, though it's potential insecurity has been
> > pointed out.

Everything is potentially insecure, however, I don't believe there are 
huge issues unique to this approach. The big issue that I see is that it 
involves hacking things into things. Last time I looked the LDAP stuff for 
vBulletin was hacks written by random people, not officially supported 
modules or patches, though things could have changed.

We have ongoing issues with other web applications that have been patched 
to use custom auth systems. It is a pain in the ass, and gets even worse 
when the people who write the original hacks move on.

> > Another option suggested by a few people is to implement a Redbrick OpenID
> > provider and force the board to only accept redbrick openids. This sounds
> > kind of interesting to me.

This is by far the best option. Implementing an OpenID provider with 
pubcookie appears to be relativly simple (probably like one afternoon of 
work) based on what I've read. Whatever forum is chosen I would bet that 
support for OpenID will be far better implemented and maintained than 
support for LDAP.

(like Cian, I think this is the best strategy for all our web apps in the 
future etc.)

a.

-- 
Andrew Harford

Your own father said that artists use lies to tell the truth. Yes, I 
created a lie. But because you believed it, you found something true about 
yourself.				--V



More information about the Admin-discuss mailing list