View Issue Details Jump to Notes ] Wiki ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004235mantisbtauthenticationpublic2004-07-31 21:042014-06-04 02:35
Assigned Tograngeway 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0004235: Support Generic Authentication through Plug-ins
DescriptionDefine an API which can be implemented to allow Mantis to use a certain kind of authentication.
TagsNo tags attached.
Attached Filespatch file icon pear_auth.patch [^] (32,592 bytes) 2007-07-18 05:15 [Show Content]

- Relationships
related to 0003043closedgrangeway support for NTLM authentication 
related to 0000287closedprescience authenticate against LDAP 
related to 0004234closedvboctor CAS authentication 
related to 0004010acknowledged Add NIS authentication as an alternative 
related to 0003303acknowledged Use X.509 certificate for authentication 
related to 0003887acknowledged radius authentcation support [patch] 
related to 0003847closedgrangeway CMS Integration (Namrly - Xoops) 
related to 0007478new MS Active Directory Authentication 
related to 0007432closedvboctor LDAP integration with Active Directory 
related to 0006771closedvboctor LDAP - Allow auth not to require dedicated LDAP account 
related to 0008012new Consider supporting Linux-PAM for authentication 
parent of 0003068closedgrangeway render_full_name in core/print.php 
has duplicate 0003394closedgrangeway rely on external source for authentication 
has duplicate 0007989closedjreese Multiple or Composite authentication mode for mantisbt 
has duplicate 0006718closedjreese Multiple authentification 
has duplicate 0007791closedatrol Allow custom login method 
related to 0004292closedthraxisp Sign-up sends a password for LDAP 
related to 0008402closedatrol Single Sign on for CMS such as Drupal, Joomla, Mambo etc 
related to 0011219acknowledged Provide OAuth inter-application authentication "tokens" mechanism 
related to 0012627new Plugin to enable login based upon Active Directory 
related to 0007371new Single signon for PHP-Fusion 

-  Notes
User avatar (0006604)
thraxisp (manager)
2004-08-03 11:47

We may want to look at the PEAR Authentication module for this. It covers all of the current authentication methods we use and is supposed to be extensible. I wrote a NIS method for it very quickly.
User avatar (0006619)
vboctor (administrator)
2004-08-04 06:31

I agree that we should probably support PEAR authentication rather than inventing our own API. I remember I looked at it before and I liked it. It basically provides one interface that can be used to access more than one authentication technique, the nice thing is that they can be mixed, rather than having to use just one technique. So probably we can add Mantis authentication as one of the techniques.

Note that the above is from memory so it may not be very accurate.
User avatar (0006796)
rlegros (reporter)
2004-08-08 03:51

I did have a look at the PEAR Auth package. It does seem much interresting. But there are two points to check.

1. Which version of PHP does it support ? Older versions make Mantis more portable.

2. There is a problem with CAS authentication (and maybe others). The architecture of PEAR Auth and of nearly all authentication systems is as follows. You take a user name and a password, you validate these against some system (file, DB and so on) and if it is OK you may log in. With CAS you delegate the login process to another application (so you are not aware of the user name and of the password), that application returns you a ticket, you ask for the ticket validation against the same application and in return you get the login id.

If Pear Auth is choosen, I think it should be needed to encapsulate it in a meta class that should also encapsulate CAS. This would make it possible for both methods to coexist cleanly in one MantisAuth class.

User avatar (0006798)
jlatour (reporter)
2004-08-08 04:13

Perhaps that encapsulating class should also take in the account the possibility that PEAR's Authentication module is not installed/available and fall back to our own authentication in that case? Depends on how likely it is that the Authentication module is not installed (and how difficult it is to install).
User avatar (0015090)
edriede (reporter)
2007-07-18 05:30

The attached files implement PEAR_Auth using the DB container (hardcoded).
It should be fairly easy to extend this to any of the underlying containers. the concerns with CAS should be able to be resolved with the custom container. PEAR_Auth also supports a Multi-Continer, which chould be used for per-user authentication. I tested this against Postgres 8.3, and the patches are based off of Mantis 1.1.0a3. I used the latest pear auth (1.5x), and my PHP version is 5.2.3. I attempted to use the existing authentication_api functions where possible, to keep the outside impact to a minimum.

I needed to patch the postgres ADO in order to get the app to work. I suppose that should be posted under a separate issue.

# Auth_Container_Array
# Auth_Container_DB
# Auth_Container_DBLite
# Auth_Container_File
# Auth_Container_IMAP
# Auth_Container_KADM5
# Auth_Container_LDAP
# Auth_Container_MDB
# Auth_Container_MDB2
# Auth_Container_Multiple
# Auth_Container_PEAR
# Auth_Container_POP3
# Auth_Container_RADIUS
# Auth_Container_SAP
# Auth_Container_SMBPasswd
# Auth_Container_SOAP
# Auth_Container_SOAP5
# Auth_Container_vpopmail
User avatar (0016824)
NT (reporter)
2008-01-26 08:47

Could someone create a wiki page to let me start specifying a requirement list for this issue.
User avatar (0016830)
vboctor (administrator)
2008-01-26 15:49

NT, Wiki page created! Go for it.
User avatar (0016833)
vboctor (administrator)
2008-01-27 03:58

NT, I had a quick look at the requirements, and I believe it might be useful to have a "Scenarios" or "High Level Requirements" section after the "Introduction" and before we get into the detailed requirements. Following is some sample content that I had in mind:

1. Support for authentication via Mantis plugins by supporting protocols that validate a user name / password, as well as others that delegate the authentication process to another application (e.g. Open ID / CAS).

2. Support for single sign-on (e.g. Windows Login, CMS integration, etc). The single sign on should work for both Login and Logout scenarios.

3. Support for hybrid authentication. For example, employees are authenticated against LDAP where customers are authenticated using Mantis standard infrastructure.

4. Avoid sign-up when a user is authenticated but doesn't yet have a record in the DB. In this case, Mantis should pull the required data from the authentication plugin. For example, pull user information from LDAP when a user logs in for the first time.

5. Based on the plugin user for authentication, a user may not be able to edit some of the An authentication plugin should be able to mark some of the user profile information as read only. For example, user name or email may be marked as read only.

6. Once a user is signed up using a protocol, this protocol should be stamped on the user record and in the future the user should only be able to login via this protocol. For example, if a user is authenticated against Active Directory, then removed from Active Directory, then he/she should not be able to login against their user record in Mantis (use in termination of employment scenarios). -- This may cause a problem when a user logs in via Windows auth at work, but would like to login from home where he/she is not authenticated in Windows.
User avatar (0017539)
cdr-80 (reporter)
2008-04-02 08:53
edited on: 2008-04-02 08:56

Hello vboctor, NT,

I took the liberty of placing some comments en ideas in the document of NT
( [^]) Fore some reason, whatever edit button I used, I could never ever edit another section than the first one..

In reference to the requirements of vboctor:
@1: Implementing simpleSAMLphp will do this for you and add a lot of other protocols as well.
@2: see my remarks in the wiki page
@4: make a clear difference between authentication data and authorisation data, otherwise login may break if the delegated idp changes one of the user credentials. In general Mantis should only care about authorisation, not about authentication, other then providing a "local" module if no other form of authentication is available.
@5: see @4
@6: see my remarks in the wiki document. Futhermore, when using windows authentication, don't make a windows problem a mantis problem: a clean solution is for the home user to use a vpn to log on to the (remote) windows network.



User avatar (0019485)
jwhitcraft (reporter)
2008-10-01 16:57

What is the status of this? I would really love to use mantis but we already have an intranet user system and I don have to have to have another login for people to be able to submit bugs.
User avatar (0022836)
thungp (reporter)
2009-08-31 11:17

I am also interested in this feature as well. Could anyone who was previously working on this or who has done anything with this, provide what they know as far a status update? Or did it pretty much stop at a list of requirements?
User avatar (0023621)
looki (reporter)
2009-11-09 05:26

I'm interested on that feature too.
Any updates?
Has anyone experiences with the NIS integration?
User avatar (0025500)
andy778 (reporter)
2010-05-14 06:47

Have there been any plan when this is going to be implemented? 1.2.x or 1.3.x ?
User avatar (0027314)
Snaky (reporter)
2010-11-08 17:28

Hi, please consider using [^] for this - it will be the best solution for putting all the best php apps together!
User avatar (0027772)
rgomes1997 (reporter)
2011-01-02 23:06
edited on: 2011-01-02 23:07

+1 in regards to [^]

SimpleSAMLphp is far from trivial to configure but, once configured, it can remove from other webapps a lot of logic related to authentication and user provisioning.

For more information about user provisioning, look for module "selfregister" (a module for simplesamlphp). [^]

User avatar (0028273)
dpenezic (reporter)
2011-02-22 04:23

Hi, i did code modification and simpleSAMLphp work with mantibt 1.3.0 how ever it will be more nicely implement if mantisbt have auth-plugin environment
User avatar (0028288)
rgomes1997 (reporter)
2011-02-23 16:04

@dpenezic: Could you please provide more information? Thanks a lot :)
User avatar (0028290)
dpenezic (reporter)
2011-02-24 01:21

@rgomes1997: You may found patch, part of configuration, and simplesamlphp_api.php file on fallow link [^]
User avatar (0031742)
matti (reporter)
2012-05-02 02:56

Any progress on this feature?

PEAR Auth based patch looks quite complete and simple. Even the configuration for PEAR Auth is quite simple.

So as a default use multiple with variable number of Auth containers defined in config. [^]

- Issue History
Date Modified Username Field Change
2004-07-31 21:04 vboctor New Issue
2004-07-31 21:04 vboctor Relationship added related to 0003043
2004-07-31 21:05 vboctor Relationship added related to 0000287
2004-07-31 21:05 vboctor Relationship added related to 0003394
2004-07-31 21:06 vboctor Relationship added related to 0004234
2004-07-31 21:06 vboctor Relationship added related to 0004010
2004-07-31 21:07 vboctor Relationship added related to 0003303
2004-07-31 21:09 vboctor Category bugtracker => feature
2004-07-31 21:12 vboctor Relationship added related to 0003887
2004-07-31 21:15 vboctor Relationship added related to 0003847
2004-08-01 18:33 grangeway Status new => acknowledged
2004-08-03 11:47 thraxisp Note Added: 0006604
2004-08-04 06:31 vboctor Note Added: 0006619
2004-08-07 08:49 jlatour Status acknowledged => confirmed
2004-08-08 03:51 rlegros Note Added: 0006796
2004-08-08 04:13 jlatour Note Added: 0006798
2004-09-26 20:42 thraxisp Relationship added related to 0004292
2005-05-19 08:23 thraxisp Relationship added parent of 0003068
2007-07-06 10:44 vboctor Category feature => authentication
2007-07-18 05:15 edriede File Added: pear_auth.patch
2007-07-18 05:30 edriede Note Added: 0015090
2007-09-26 03:58 vboctor Relationship added related to 0008402
2008-01-26 08:47 NT Note Added: 0016824
2008-01-26 15:49 vboctor Note Added: 0016830
2008-01-27 03:58 vboctor Note Added: 0016833
2008-01-27 22:35 vboctor Relationship added related to 0007478
2008-01-27 22:35 vboctor Relationship added related to 0007432
2008-01-27 22:36 vboctor Relationship added related to 0006771
2008-01-27 22:36 vboctor Relationship added related to 0008012
2008-02-08 16:02 jreese Status confirmed => assigned
2008-02-08 16:02 jreese Assigned To => jreese
2008-03-20 08:33 jreese Relationship added has duplicate 0007989
2008-03-20 08:33 jreese Relationship added has duplicate 0006718
2008-04-02 08:53 cdr-80 Note Added: 0017539
2008-04-02 08:55 cdr-80 Note Edited: 0017539
2008-04-02 08:56 cdr-80 Note Edited: 0017539
2008-07-13 11:07 grangeway Relationship replaced has duplicate 0003394
2008-09-25 13:48 jreese Assigned To jreese => grangeway
2008-10-01 16:57 jwhitcraft Note Added: 0019485
2009-08-31 11:17 thungp Note Added: 0022836
2009-11-09 05:26 looki Note Added: 0023621
2010-02-07 07:40 dhx Relationship added related to 0011219
2010-05-14 06:47 andy778 Note Added: 0025500
2010-11-08 17:28 Snaky Note Added: 0027314
2011-01-02 23:06 rgomes1997 Note Added: 0027772
2011-01-02 23:07 rgomes1997 Note Edited: 0027772 View Revisions
2011-02-22 04:23 dpenezic Note Added: 0028273
2011-02-23 16:04 rgomes1997 Note Added: 0028288
2011-02-24 01:21 dpenezic Note Added: 0028290
2011-12-14 03:19 rombert Severity minor => feature
2012-05-02 02:56 matti Note Added: 0031742
2012-07-02 03:10 atrol Relationship added has duplicate 0007791
2012-07-02 03:11 atrol Relationship added related to 0012627
2012-07-02 03:11 atrol Relationship added related to 0007371

MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1271 seconds.
memory usage: 3,383 KB
Powered by Mantis Bugtracker