0%
Achtung: Javascript ist in Deinem Browser deaktiviert. Es kann sein, dass Du daher die Umfrage nicht abschließen werden kannst. Bitte überprüfe Deine Browser-Einstellungen.

Authentifizierungsadapter

Wir brauchen verschiedene Authentifizierungs-Adapter, um FabAccess an verschiedene Benutzerverwaltungen anbinden zu können.

Um ein Gefühl dafür zu bekommen, was zuerst notwendig ist - und was evtl. zurückgestellt oder sogar fallengelassen werden kann, haben wir für euch eine kurze Umfrage erstellt in der Ihr uns mitteilen könnt, welche Systeme ihr schon verwendet - und welche ihr evtl. zukünftig verwenden möchtet.

Zu dem Thema gibt es in GitLab zu BFFH jeweils Issues (#13,#14,#15), über die Ihr zu dem einzelnen geplanten Adaptern gerne kommentieren könnt.

(https://gitlab.com/fabinfra/fabaccess/bffh/-/issues)

Password DB PAM adapter

Allow password-based authentication against the Linux Pluggable Authentication Mechanism (PAM).

PAM is a Linux API specifically for password based authentication. Adding it to BFFH would allow to use the normal system users from a server and grants access to all the different authentication mechanisms PAM connects to.

This is especially useful for situations where a space already has a *nix-based network going on.

There is little need for any configuration on bffh side other than just enabling this backend; PAM expects services to use predictable service names (i.e. usually their own name: "bffh" in our case) and all further configuration is done in /etc/pam.d/ or your distributions equivalent.

Password DB SQL adapter

Allow password-based authentication against an SQL database

More research needed, e.g. who actually needs this feature and how should it look exactly.

I would assume a custom SQL query or just SQL filter to be run that returns password data for a given user or indicates that there exists no such user.

Password DB LDAP/AD adapter

Allow password-based authentication against LDAP / AD

For this bffh needs to perform a search against the LDAP server first; configuration required:

  • LDAP server URL
  • Authentication mechanism, either 'simple' or a SASL method
    • For simple and password-based SASL methods additionally a bind-password
  • A bind dn to try to authenticate as
    • For SASL this is used as authzid and possibly authcid; e.g. SASL EXTERNAL has a fixed "authcid" server-side, so does GSSAPI
    • If no bind-dn is set search will be attempted anonymously
  • search base
  • search filter

The search should only ever return zero (no such user) or one. If multiple users match an error should be logged for the server admin to look into.

The second step is the actual verification of the password which comes in two flavours:

  1. Bind authentication where to authenticate a LDAP Simple Bind or LDAP SASL Bind is performed with the given password to the returned entry
  2. Lookup authentication where a field on the returned entry contains password data, e.g. a Argon2i-hashed password or SCRAM-SHA1 data
    • this needs an additional configuration value indicating the name of said field.
In dieser Umfrage sind 4 Fragen enthalten.