We are looking to use Serendipity in place of an old terminal application in police cruisers and on desktops as a daily log of sorts for our police department. We want to have have aproximately 250 users on this Serendipity blog, and as opposed to setting up and maintaining accounts for each user, we're looking into LDAP.
I have the externalauth plugin, and have installed it, but I am a bit confused as to how it actually works. Loading the plugin goes fine, and I GUESS the settings I am using are correct as I am presented with no errors, however, I am not being logged in automatically. Perhaps I misunderstand the function of this plugin?
Searching s9y and google I haven't found any documentation on it, and I was hoping I could get some help here. Thank you in advance.
-Dave
LDAP Authentication
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: LDAP Authentication
Great to hear about your looking into Serendipity. Your usage case sounds pretty exciting!
Sadly, Serendipity has a problem if the user account data is not saved in the Database, as it uses several SQL lookups and joins to fetch all entry and author information of an entry. If that data were stored in non-SQL-joinable containers, it would mean many code changes and a degraded performance.
Thus, the LDAP plugin works like this:
1. You enter your account data.
2. The account data is matched against the serendipity_authors table.
3. If an account is found, the user is logged in.
4. If an account is not found, the LDAP plugin comes to effect. It matches your accound data against the LDAP database. If a resultset is found, Serendipity creates an account in the serendipity_authors table and can then successfully authorize you.
So the LDAP plugin works as an intermediate "authentication proxy" and does not replace the internal serendipity_authors table.
Since I personally am not using LDAP for such cases, and must admit I'm not a professional with LDAP I don't know much about possible error cases. It might have to do with your LDAP-lookup that could fail. Did you check if when you login to serendipity with your LDAPdata, if a serendipity_authors account is created?
Which Serendipity version are you using, BTW?
In your case, I would suggest that if you have the developer manpower, you'd create a daily matchup from the LDAP table which synchronizes the SQL table. I don't think there's any blogging application that does user matching with LDAP only, also other apps only use that proxy scheme so that it's really hard to get that all to work smoothly.
HTH and have fun,
Garvin
Sadly, Serendipity has a problem if the user account data is not saved in the Database, as it uses several SQL lookups and joins to fetch all entry and author information of an entry. If that data were stored in non-SQL-joinable containers, it would mean many code changes and a degraded performance.
Thus, the LDAP plugin works like this:
1. You enter your account data.
2. The account data is matched against the serendipity_authors table.
3. If an account is found, the user is logged in.
4. If an account is not found, the LDAP plugin comes to effect. It matches your accound data against the LDAP database. If a resultset is found, Serendipity creates an account in the serendipity_authors table and can then successfully authorize you.
So the LDAP plugin works as an intermediate "authentication proxy" and does not replace the internal serendipity_authors table.
Since I personally am not using LDAP for such cases, and must admit I'm not a professional with LDAP I don't know much about possible error cases. It might have to do with your LDAP-lookup that could fail. Did you check if when you login to serendipity with your LDAPdata, if a serendipity_authors account is created?
Which Serendipity version are you using, BTW?
In your case, I would suggest that if you have the developer manpower, you'd create a daily matchup from the LDAP table which synchronizes the SQL table. I don't think there's any blogging application that does user matching with LDAP only, also other apps only use that proxy scheme so that it's really hard to get that all to work smoothly.
HTH and have fun,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
I was quite excited to find Serendipity. With very few changes, it looks like it will fit our needs quite well.
We are using version 0.8.1 on Apache2 for our alpha, and 0.8.2 on IIS6 for our beta, and what will become the final. I've made a couple of changes to the code, but we're trying to stick close to the developer code for upgrade purposes, and because if all goes well, we may be interested in running another instance for our fire department.
This is our first attempt at LDAP, so please bear with me.
It would be nice to be able to automatically create accounts with LDAP, as opposed to entering all of them by hand. Changes would have to be made to names and user level, I assume. If this is possible, and from what you've said it seems it is, it would be wonderful. One catch to this, is that after accounts are created initially, we would like to be able to freeze accounts, and, for example, prevent access to Serendipity from users in another city department.
A more important function of LDAP, however, is keeping these 250 officers from having to log in each time they want to use Serendipity. This, as I understand, can be done with the plugin, and is what I'm trying to test now.
I recieve no error, but upon pointing a browser to Serendipity, I am not logged in, and no account is created in the serendipity_authors table. Is there any type of log that would return an error or failure to authenticate?
We settled on Serendipity about two weeks ago, and our plan is to go live in about another two. We'll see how that goes!
We are using version 0.8.1 on Apache2 for our alpha, and 0.8.2 on IIS6 for our beta, and what will become the final. I've made a couple of changes to the code, but we're trying to stick close to the developer code for upgrade purposes, and because if all goes well, we may be interested in running another instance for our fire department.
This is our first attempt at LDAP, so please bear with me.
It would be nice to be able to automatically create accounts with LDAP, as opposed to entering all of them by hand. Changes would have to be made to names and user level, I assume. If this is possible, and from what you've said it seems it is, it would be wonderful. One catch to this, is that after accounts are created initially, we would like to be able to freeze accounts, and, for example, prevent access to Serendipity from users in another city department.
A more important function of LDAP, however, is keeping these 250 officers from having to log in each time they want to use Serendipity. This, as I understand, can be done with the plugin, and is what I'm trying to test now.
I recieve no error, but upon pointing a browser to Serendipity, I am not logged in, and no account is created in the serendipity_authors table. Is there any type of log that would return an error or failure to authenticate?
We settled on Serendipity about two weeks ago, and our plan is to go live in about another two. We'll see how that goes!
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Hi Dave!
Great to hear you got Serendipity adapted smoothly. If the code changes you made are good for "public use", we're of course willing to include those in our distribution if you care to share the code.
About LDAP, what you outline should work. You can just stick the Serendipity users as members of a specific "Serendipity" group; you can then still maintain all your users in a LDAP.
The LDAP plugin however is different from what you understand; this is called a "Single Sign-On Environment". There currently is no plugin for that. But Serendipity supports auto-login based on a permanent cookie; so either you could do it with that cookie, or you would need to modify the LDAP plugin so that it interacts witha RADIUS/Single-Sign-On Server in your Environment. However that is always very dependant on your server IT structure and a harder task to achieve.
Best regards,
Garvin
Great to hear you got Serendipity adapted smoothly. If the code changes you made are good for "public use", we're of course willing to include those in our distribution if you care to share the code.
About LDAP, what you outline should work. You can just stick the Serendipity users as members of a specific "Serendipity" group; you can then still maintain all your users in a LDAP.
The LDAP plugin however is different from what you understand; this is called a "Single Sign-On Environment". There currently is no plugin for that. But Serendipity supports auto-login based on a permanent cookie; so either you could do it with that cookie, or you would need to modify the LDAP plugin so that it interacts witha RADIUS/Single-Sign-On Server in your Environment. However that is always very dependant on your server IT structure and a harder task to achieve.
You need to call teh "serendipity_admin.php" admin backend and login there with your credentials; only then the LDAP plugin performs the matchup; see above for the difference to Single-Signon. The failure of authentication is then shown on the login to the backend, if it happens.I recieve no error, but upon pointing a browser to Serendipity, I am not logged in, and no account is created in the serendipity_authors table. Is there any type of log that would return an error or failure to authenticate?
Best regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
Guest
Garvin,
As for the changes, mostly what I have done is remove or restrict features.
We considered the cookie Serendipity uses, but since we have multiple people using the same computers (officers using the same police cruiser, for one example) it wouldn't work.
The LDAP server isn't really my end of the project, so my understanding is limited, but I was put under the impression that it could be used to accomplish this single sign-on function. Perhaps we just need to write something to combine the LDAP plugin with features like this? Hopefully our project will meet later today, and I can get a little more clear on this.
Lastly, you have a version 9 in testing currently? Is this publicly available? I think we would be interested in seeing more of the path that Serendipity is taking at the very least.
Thanks Garvin!
As for the changes, mostly what I have done is remove or restrict features.
- All references to trackbacks have been removed
In our alpha, comments are removed, although we're still uncertain as to if they will be on the final
Standard Editors have more restricted access
Chief Editors have more restricted access (no longer can change categories, images, etc)
We considered the cookie Serendipity uses, but since we have multiple people using the same computers (officers using the same police cruiser, for one example) it wouldn't work.
The LDAP server isn't really my end of the project, so my understanding is limited, but I was put under the impression that it could be used to accomplish this single sign-on function. Perhaps we just need to write something to combine the LDAP plugin with features like this? Hopefully our project will meet later today, and I can get a little more clear on this.
Lastly, you have a version 9 in testing currently? Is this publicly available? I think we would be interested in seeing more of the path that Serendipity is taking at the very least.
Thanks Garvin!
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
I must admit I've never worked with a Single-Sign-On environment, so I don't really know how it can be done technically. But I'm quite sure that if it can be done, it can be done with Serendipity as well, since it's a really flexible system.
If your project member has information on the SingleSign-on thing or has questions, tell him to feel free to contact me. I'd be happy to gain some insight on how this SSO works.
Version 9 is developed using Subversion on http://developer.berlios.de/projects/serendipity/ - you can connect yourself to the SVN repository to fetch the latest trunk / version 9 release. TortoiseSVN for Windows is a good client to use. Version 9 does support a granular permission system you might be interested in...
Best regards,
Garvin
If your project member has information on the SingleSign-on thing or has questions, tell him to feel free to contact me. I'd be happy to gain some insight on how this SSO works.
Version 9 is developed using Subversion on http://developer.berlios.de/projects/serendipity/ - you can connect yourself to the SVN repository to fetch the latest trunk / version 9 release. TortoiseSVN for Windows is a good client to use. Version 9 does support a granular permission system you might be interested in...
Best regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Yes, our snapshots are built daily, fetch them on www.s9y.org in the "Download" section please.
Regards,
Garvin
Regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
-
Guest
SmithDave -Anonymous wrote: We considered the cookie Serendipity uses, but since we have multiple people using the same computers (officers using the same police cruiser, for one example) it wouldn't work.
The cookie should still work for you, as it is stored in the logged in profile. Even with multiple users on the same machine, for you to be using LDAP, the users log in and log out, so each has their own profile, correct?
-Rob A>