Alfredo Esteban
2015-01-16 14:56:32 UTC
Hi,
I have created a pull request:
https://github.com/LimeSurvey/LimeSurvey/pull/270
Firstly, I would like to show you the code before pushing it and let you
make suggestions (please, see pull request description). I'm sending you
some screen-shots too. This is a first step to solve LDAP problem described
in security bug #8865 <http://bugs.limesurvey.org/view.php?id=8865>. This
is an important requirement of our security department since we implement
strong passwords policy in our LDAP. We would like to stop using internal
DB authentication. After this patch, there is a new type of users. Their
autenthication method is only LDAP (they can't choose internal DB). No DB
modification is needed. I use "password" DB field to recognize these users.
If you are not against, I will push it to master branch.
Secondly, I agree with comments in bug tracker: Permanent fix is adding a
new user property "Authentication method". Users will be able to log in
using one and only one authentication method at a specific moment. Admin
could change from one method to another for an user. The problem is the
default value for this column in existing users when updating LS. For
example, if we put internal DB method, existing LDAP users have to be
manually updated. Which do you think is the best version for this change
(if any)?
Thanks,
Alfredo
I have created a pull request:
https://github.com/LimeSurvey/LimeSurvey/pull/270
Firstly, I would like to show you the code before pushing it and let you
make suggestions (please, see pull request description). I'm sending you
some screen-shots too. This is a first step to solve LDAP problem described
in security bug #8865 <http://bugs.limesurvey.org/view.php?id=8865>. This
is an important requirement of our security department since we implement
strong passwords policy in our LDAP. We would like to stop using internal
DB authentication. After this patch, there is a new type of users. Their
autenthication method is only LDAP (they can't choose internal DB). No DB
modification is needed. I use "password" DB field to recognize these users.
If you are not against, I will push it to master branch.
Secondly, I agree with comments in bug tracker: Permanent fix is adding a
new user property "Authentication method". Users will be able to log in
using one and only one authentication method at a specific moment. Admin
could change from one method to another for an user. The problem is the
default value for this column in existing users when updating LS. For
example, if we put internal DB method, existing LDAP users have to be
manually updated. Which do you think is the best version for this change
(if any)?
Thanks,
Alfredo