Here goes...
Objective
The purpose of this development is to allow multiple methods of authentification for the Postnuke CMS (for example, allow users to login using their LDAP accounts, their POP accounts, etc.)
We consider that such a development, due to it's integration with existing systems, will greatly increase the acceptation of Postnuke in enterprise environments.
Requirements
We have identified the following requirements for such a development:
1. Allow definition of an external realm that will be used for authentification
2. Allow specifying which users will use the external realm for authentification. This includes the cases when the administrator of the site knows the credentials of the local user on the external realm, and when he does not.
3. Allow users that do not yet have a Postnuke account, but that are correctly identified by the external realm, to login into the system (new postnuke user records will be created for them)
4. Allow the import of a list of users accounts (possibly through the UserImport module), and setting the correct external authentification information for them.
5. In case the external realms are temporarily not available, allow users to login through the normal internal procedure. This means that in all cases, user records must exist for each user (including the externally authentified ones)
Implementation
We have chosen a hybrid approach of integration with the existing code of Postnuke.
The main functionality will be contained in a module, and changes will be made to the core to allow easy setup of the users' accounts and an easy transition from older installations of Postnuke.
The module will provide a framework allowing implementation of different realm models. Thus, in case another method of authentification is needed (excepting the ones we will implement), all one will need to do is writing the code for another realm model.
For example, we predict writing a LDAP realm model, a POP realm model, an external database realm model, a XML-RPC realm model.
The module will also support multiple external authentification realms (using more than one method of authentification, at the same time). The administrator of the site will be able to configure the Postnuke system to accept logins from one or more LDAPs, from a POP realm, etc. at the same time.
It will also provide the necessary API for the verification of the users accounts.
At the internal database level, the table that describes the users will be kept unchanged, and a new table will be added, that will contain all the needed data for the external authentification.
For each realm, the information needed is divided in two sets:
- realm specific information (the name of the server providing authentification, a short description, connection parameters, possibly how to retrieve any information that is needed in postnuke – i.e. the email – from the server) – this will be administered by the realm model code.
- postnuke specific information: if to allow external users that do not yet have an account to login in the system, the group in which such users will be placed – this will be administered by the module code.
The modifications to the core will be mainly at a graphical level. We have chosen to use as starting point the PNUserHack, and add code to this hack, rather than touch the core. The purpose of these modifications will be to allow the setup of the external authentification method at the same time as the setup of the "normal" PN user accounts.
The core modifications are briefly described here:
- User administration (for administrator): for each user and for each external server (as described in the module) add the necessary interface for allowing the user to login through the specified server, and for deciding which external account corresponds to the user, or for letting the user specify by himself the external account.
- Administration of a user's account (by himself): if the administrator allowed it, permit specifying which external account corresponds to the user.
Of course, the status of this document and of the development is still alpha (meaning we have a pretty good idea of what we want, and we are just starting to look around in the code and to implement things). We are however willing to invest a good amound of effort in this development, and we feel that all users and Postnuke in general could benefit from such add-on.
Best regards,
Tibi Dondera
Additional links:
http://atelier.epfl.ch - the site that contains some of our other modules. We are planning of posting shortly another article about our current/finished developments. (sorry, french only)