|Anonymous | Login | Signup for a new account||2013-12-09 03:47 EST|
|Main | My View | View Issues | Change Log | Roadmap | Wiki | Repositories|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0004235||mantisbt||authentication||public||2004-07-31 21:04||2012-11-13 20:45|
|Target Version||Fixed in Version|
|Summary||0004235: Support Generic Authentication through Plug-ins|
|Description||Define an API which can be implemented to allow Mantis to use a certain kind of authentication.|
|Tags||No tags attached.|
|Attached Files||pear_auth.patch [^] (32,592 bytes) 2007-07-18 05:15 [Show Content]|
|We may want to look at the PEAR Authentication module for this. It covers all of the current authentication methods we use and is supposed to be extensible. I wrote a NIS method for it very quickly.|
I agree that we should probably support PEAR authentication rather than inventing our own API. I remember I looked at it before and I liked it. It basically provides one interface that can be used to access more than one authentication technique, the nice thing is that they can be mixed, rather than having to use just one technique. So probably we can add Mantis authentication as one of the techniques.
Note that the above is from memory so it may not be very accurate.
I did have a look at the PEAR Auth package. It does seem much interresting. But there are two points to check.
|Perhaps that encapsulating class should also take in the account the possibility that PEAR's Authentication module is not installed/available and fall back to our own authentication in that case? Depends on how likely it is that the Authentication module is not installed (and how difficult it is to install).|
The attached files implement PEAR_Auth using the DB container (hardcoded).
It should be fairly easy to extend this to any of the underlying containers. the concerns with CAS should be able to be resolved with the custom container. PEAR_Auth also supports a Multi-Continer, which chould be used for per-user authentication. I tested this against Postgres 8.3, and the patches are based off of Mantis 1.1.0a3. I used the latest pear auth (1.5x), and my PHP version is 5.2.3. I attempted to use the existing authentication_api functions where possible, to keep the outside impact to a minimum.
I needed to patch the postgres ADO in order to get the app to work. I suppose that should be posted under a separate issue.
|Could someone create a wiki page to let me start specifying a requirement list for this issue.|
|NT, Wiki page created! Go for it.|
NT, I had a quick look at the requirements, and I believe it might be useful to have a "Scenarios" or "High Level Requirements" section after the "Introduction" and before we get into the detailed requirements. Following is some sample content that I had in mind:
1. Support for authentication via Mantis plugins by supporting protocols that validate a user name / password, as well as others that delegate the authentication process to another application (e.g. Open ID / CAS).
2. Support for single sign-on (e.g. Windows Login, CMS integration, etc). The single sign on should work for both Login and Logout scenarios.
3. Support for hybrid authentication. For example, employees are authenticated against LDAP where customers are authenticated using Mantis standard infrastructure.
4. Avoid sign-up when a user is authenticated but doesn't yet have a record in the DB. In this case, Mantis should pull the required data from the authentication plugin. For example, pull user information from LDAP when a user logs in for the first time.
5. Based on the plugin user for authentication, a user may not be able to edit some of the An authentication plugin should be able to mark some of the user profile information as read only. For example, user name or email may be marked as read only.
6. Once a user is signed up using a protocol, this protocol should be stamped on the user record and in the future the user should only be able to login via this protocol. For example, if a user is authenticated against Active Directory, then removed from Active Directory, then he/she should not be able to login against their user record in Mantis (use in termination of employment scenarios). -- This may cause a problem when a user logs in via Windows auth at work, but would like to login from home where he/she is not authenticated in Windows.
edited on: 2008-04-02 08:56
Hello vboctor, NT,
I took the liberty of placing some comments en ideas in the document of NT
(http://www.mantisbt.org/wiki/doku.php/mantisbt:issue:4235 [^]) Fore some reason, whatever edit button I used, I could never ever edit another section than the first one..
In reference to the requirements of vboctor:
@1: Implementing simpleSAMLphp will do this for you and add a lot of other protocols as well.
@2: see my remarks in the wiki page
@4: make a clear difference between authentication data and authorisation data, otherwise login may break if the delegated idp changes one of the user credentials. In general Mantis should only care about authorisation, not about authentication, other then providing a "local" module if no other form of authentication is available.
@5: see @4
@6: see my remarks in the wiki document. Futhermore, when using windows authentication, don't make a windows problem a mantis problem: a clean solution is for the home user to use a vpn to log on to the (remote) windows network.
|What is the status of this? I would really love to use mantis but we already have an intranet user system and I don have to have to have another login for people to be able to submit bugs.|
|I am also interested in this feature as well. Could anyone who was previously working on this or who has done anything with this, provide what they know as far a status update? Or did it pretty much stop at a list of requirements?|
I'm interested on that feature too.
Has anyone experiences with the NIS integration?
|Have there been any plan when this is going to be implemented? 1.2.x or 1.3.x ?|
|Hi, please consider using http://simplesamlphp.org/ [^] for this - it will be the best solution for putting all the best php apps together!|
edited on: 2011-01-02 23:07
+1 in regards to http://simplesamlphp.org [^]
SimpleSAMLphp is far from trivial to configure but, once configured, it can remove from other webapps a lot of logic related to authentication and user provisioning.
For more information about user provisioning, look for module "selfregister" (a module for simplesamlphp).
|Hi, i did code modification and simpleSAMLphp work with mantibt 1.3.0 how ever it will be more nicely implement if mantisbt have auth-plugin environment|
|@dpenezic: Could you please provide more information? Thanks a lot :)|
|@rgomes1997: You may found patch, part of configuration, and simplesamlphp_api.php file on fallow link http://developer.aaiedu.hr/download/ssphp_auth_addon_v.0.1.tar.gz [^]|
Any progress on this feature?
PEAR Auth based patch looks quite complete and simple. Even the configuration for PEAR Auth is quite simple.
So as a default use multiple with variable number of Auth containers defined in config.
|2004-07-31 21:04||vboctor||New Issue|
|2004-07-31 21:04||vboctor||Relationship added||related to 0003043|
|2004-07-31 21:05||vboctor||Relationship added||related to 0000287|
|2004-07-31 21:05||vboctor||Relationship added||related to 0003394|
|2004-07-31 21:06||vboctor||Relationship added||related to 0004234|
|2004-07-31 21:06||vboctor||Relationship added||related to 0004010|
|2004-07-31 21:07||vboctor||Relationship added||related to 0003303|
|2004-07-31 21:09||vboctor||Category||bugtracker => feature|
|2004-07-31 21:12||vboctor||Relationship added||related to 0003887|
|2004-07-31 21:15||vboctor||Relationship added||related to 0003847|
|2004-08-01 18:33||grangeway||Status||new => acknowledged|
|2004-08-03 11:47||thraxisp||Note Added: 0006604|
|2004-08-04 06:31||vboctor||Note Added: 0006619|
|2004-08-07 08:49||jlatour||Status||acknowledged => confirmed|
|2004-08-08 03:51||rlegros||Note Added: 0006796|
|2004-08-08 04:13||jlatour||Note Added: 0006798|
|2004-09-26 20:42||thraxisp||Relationship added||related to 0004292|
|2005-05-19 08:23||thraxisp||Relationship added||parent of 0003068|
|2007-07-06 10:44||vboctor||Category||feature => authentication|
|2007-07-18 05:15||edriede||File Added: pear_auth.patch|
|2007-07-18 05:30||edriede||Note Added: 0015090|
|2007-09-26 03:58||vboctor||Relationship added||related to 0008402|
|2008-01-26 08:47||NT||Note Added: 0016824|
|2008-01-26 15:49||vboctor||Note Added: 0016830|
|2008-01-27 03:58||vboctor||Note Added: 0016833|
|2008-01-27 22:35||vboctor||Relationship added||related to 0007478|
|2008-01-27 22:35||vboctor||Relationship added||related to 0007432|
|2008-01-27 22:36||vboctor||Relationship added||related to 0006771|
|2008-01-27 22:36||vboctor||Relationship added||related to 0008012|
|2008-02-08 16:02||jreese||Status||confirmed => assigned|
|2008-02-08 16:02||jreese||Assigned To||=> jreese|
|2008-03-20 08:33||jreese||Relationship added||has duplicate 0007989|
|2008-03-20 08:33||jreese||Relationship added||has duplicate 0006718|
|2008-04-02 08:53||cdr-80||Note Added: 0017539|
|2008-04-02 08:55||cdr-80||Note Edited: 0017539|
|2008-04-02 08:56||cdr-80||Note Edited: 0017539|
|2008-07-13 11:07||grangeway||Relationship replaced||has duplicate 0003394|
|2008-09-25 13:48||jreese||Assigned To||jreese => grangeway|
|2008-10-01 16:57||jwhitcraft||Note Added: 0019485|
|2009-08-31 11:17||thungp||Note Added: 0022836|
|2009-11-09 05:26||looki||Note Added: 0023621|
|2010-02-07 07:40||dhx||Relationship added||related to 0011219|
|2010-05-14 06:47||andy778||Note Added: 0025500|
|2010-11-08 17:28||Snaky||Note Added: 0027314|
|2011-01-02 23:06||rgomes1997||Note Added: 0027772|
|2011-01-02 23:07||rgomes1997||Note Edited: 0027772||View Revisions|
|2011-02-22 04:23||dpenezic||Note Added: 0028273|
|2011-02-23 16:04||rgomes1997||Note Added: 0028288|
|2011-02-24 01:21||dpenezic||Note Added: 0028290|
|2011-12-14 03:19||rombert||Severity||minor => feature|
|2012-05-02 02:56||matti||Note Added: 0031742|
|2012-07-02 03:10||atrol||Relationship added||has duplicate 0007791|
|2012-07-02 03:11||atrol||Relationship added||related to 0012627|
|2012-07-02 03:11||atrol||Relationship added||related to 0007371|
| MantisBT 1.2.16dev master-1.2.x-9aa19be [^]
Copyright © 2000 - 2013 MantisBT Team
Time: 0.1863 seconds.|
memory usage: 3,194 KB