[Admin-discuss] Web Forums - Authentication and Security
andrew.harford at redbrick.dcu.ie
Fri Apr 23 22:41:15 IST 2010
On Fri, Apr 23, 2010 at 10:23:39PM +0100, Cian Brennan wrote:
> On Fri, Apr 23, 2010 at 10:17:49PM +0100, Sean wrote:
> > Hi
> > As you may have heard, the committee are optioning installing a web based
> > forum for their users to use for discussing various topics, much like the
> > existing nntp based boards.
> > The type of forum will most likely be vBulletin, though PHPBB and SMF
> > haven't been completely written off.
> Redbrick should not pay for software, if there are free alternatives anything
> as good.
My preference would also be to not pay for software. Lots of people seem
to be pretty happy with SMF, I'm not aware of any important features it
would be lacking.
> > The issue is how to manage user authentication.
> > The board will probably be going behind pubcookie. While this makes it less
> > convenient for the users, there are benefits of privacy and additional
> > security.
> > Two options were suggested for user management on the board itself.
> > The first would be to install a quick plug in to allow authentication from
> > though LDAP. User accounts would be created automatically. This seems
> > relatively straightforward, though it's potential insecurity has been
> > pointed out.
Everything is potentially insecure, however, I don't believe there are
huge issues unique to this approach. The big issue that I see is that it
involves hacking things into things. Last time I looked the LDAP stuff for
vBulletin was hacks written by random people, not officially supported
modules or patches, though things could have changed.
We have ongoing issues with other web applications that have been patched
to use custom auth systems. It is a pain in the ass, and gets even worse
when the people who write the original hacks move on.
> > Another option suggested by a few people is to implement a Redbrick OpenID
> > provider and force the board to only accept redbrick openids. This sounds
> > kind of interesting to me.
This is by far the best option. Implementing an OpenID provider with
pubcookie appears to be relativly simple (probably like one afternoon of
work) based on what I've read. Whatever forum is chosen I would bet that
support for OpenID will be far better implemented and maintained than
support for LDAP.
(like Cian, I think this is the best strategy for all our web apps in the
Your own father said that artists use lies to tell the truth. Yes, I
created a lie. But because you believed it, you found something true about
More information about the Admin-discuss