webtrees

I would like to link authentication to ldap.

It would be nice if the user could then be linked to their gedcom entry as well, either manually or automatically.

Thanks for any thoughts on moving forward.

Mike

webtrees has decided to use the Zend Framework for all new development, and as time permits, we'll rewrite existing code to use this library.

Its authentication module includes an LDAP option, so once this change is made, using LDAP, OpenID or any other externatal authentication scheme should be feasible.

So, there is a long-term plan that will lead us there. Short/medium term, you'd have to write something yourself. We don't have the resources.

As to linking individuals to their gedcom entry - this is already standard functionality. From the user-admin page, you'll have the ability to link each user to a person (or persons - if they exist in multiple gedcoms).

Thank you! I look forward to it.

Do you have a time frame for the Zend Framework implementation?

Mike,
Greg's answer wasn't specific enough?
"and as time permits, we'll rewrite existing code to use this library." and
"So, there is a long-term plan that will lead us there. Short/medium term, you'd have to write something yourself. We don't have the resources."

LONG TERM in the answer. To me, that means some time next year at best unless you wish to add your programming talent and tackle it sooner - which would be very welcome.

Thanks again and for the detailed answer.

I don't have programming experience so I would not be able to provide help.
My experience is enough to install the apps.

My website runs joomla, phpbb3, mediawiki, phpgedview, just to name a few. And I use jfusion just as it looks like webtrees does :)
But, jfusion is currently limited to a few apps. and the future 2.0 version might work.

So, I look to make an SSO site experience with LDAP. My addressbook is in LDAP too. :)

Well, thanks again, and if I can help I will.

Hi Greg,

I was wondering if there was progress on the LDAP Module.

Sorry no. There are lots of other things that are taking priority.

Hi Greg,

Has there been progress using the new code to integrate ldap or any other login mechanism?

Mike

I haven't looked at this. I've never used LDAP, and don't have an LDAP server to test/develop against.

Greg,
Any hints at where to look to even begin thinking about changing the Zend authentication code?

Tell me how you think this will work - how it will integrate to webtrees, etc.

If the user accounts are held in an external system, how will the user management system work? How will the registration system work?

Is it just passwords/authentication? If so, how do we synchronise the user list in webtrees with the user list in the external server? Or, do we move *all* user settings (e.g. language prefs) to the external server?

I am completely failing to see any advantage to this. Hence it is always likely to have a lower priority than pretty much any other enhancement.

Greg,

I understand the ignorance on how you see this working or integrating with Webtrees, based on the level of experience. This comes with just about anything, but with knowledge and some initiative then anything is possible. It just needs to have the right encouragement.
I have used some applications (phpbb3, mediawiki, joomla, and others) to point to ldap for authentication. It isn't necessarily a single-signon system, but keeps all accounts in a single database so authentication into any app uses the same id/password.
For Webtrees, it could be that once the user is authenticated via ldap, and in a "webtrees" ldap group then create a local account and then the admin will be notified. The admin can choose to modify the local account with the INDI and Tree if desired.

I think there are free ldap databases on the net to use for development purposes.

Regards,

Mike
I'm a bit confused still. Unless I'm mistaken, you are encouraging users to access multiple programs with the same U/N and P/W?
Why would we wish to encourage users to be lazy and use bad habits? Doing so only creates a comfort level with them applying the same U/N and P/W to their email programs, bank and credit card accounts. Are we not asking to leave them vulnerable should one of their accounts be hacked, or they are careless with their login information?

A true single-sign on of a website, would mean the user authenticates once and based on php sessions has access to other apps on the site without having to re-authenticate.

This is a common practice on many websites and unknown to the user in most cases. Not encouraging lazy habits, but ease of navigation because I have a few different apps. that require authentication to use.

The vulnerability topic is out of this context of course.

<<I understand the ignorance on how you see this working or integrating with Webtrees>>

Then tell me. Here's just a few questions that need answering.

1) The "new user" registration system. How will this work? Can only people with an existing LDAP account register?

2) The "account details" page. How will changes of user-id / password / email / etc. work? Can we write changes to the LDAP server, or just read them?

3) The "user admin" page. Ditto. Can we create users? Can we delete them?

4) webtrees usernames are case-insensitive. What happens when the LDAP server has accounts called ADMIN, Admin and admin?

5) Is there some sort of notification system, so that updates to the LDAP server are pushed out to webtrees. e.g. changes of username.

6) What information do we store in the LDAP server? For example, do we store account attributes (e.g. the wt_user_setting) table there?

7) Single-sign-on is about sharing sessions as well as user account details. Where do we pick up session / user identification from?

I've worked with LDAP at work and setup some web applications to authenticate with LDAP. Also, at one point, I was running an LDAP server at home with authentication for Wordpress, Mediawiki, and some other web applications. LDAP offers the ability to have a single username/password for all services or applications from a single organization.

Here is how it works for LDAP and Mediawiki, I would imagine it would work similarly.

The LDAP directory stores username, password, fullname, etc. In the configuration files, you specify the LDAP server address, the naming schema of the users, and what data you want to pull from LDAP (usually name and email). Then users need to "create an account" which adds the record in the users table of Mediawiki with the username, fullname, and email from LDAP. After the account is created in Mediawiki, the user cannot change their username or password in Mediawiki, since they are linked to LDAP. They would need to use another method to change their LDAP password. They would still be able to change other user preferences (like language, theme/skin, etc).

Now for some answers to your questions:
1) A user would need to be in the LDAP directory before they could be added to webtrees, then they can request an account. For webtrees, they would need to enter their username and password, then the account creation process would authenticate the username and password, then retrieve the fullname and email.
2) The admin could change the username and email, but not password. The admin would just need to make extra sure that the change correctly matches the LDAP directory.
3) You would be able to create a user by entering username, fullname, and email, since we don't have that new users username/password to retrieve from the LDAP directory.
4) LDAP is usually case-insensitive
5) Usernames shouldn't change.
6) The LDAP directory houses username, password, fullname, and email, but webtrees should still store username, fullname, and email, excluding password since that is stored in LDAP directory
7) LDAP is different from single-sign-on. LDAP just allows single credentials, not sessions sharing.

Then it does force the same U/N and P/W across multiple programs, and
It completely removes the flexibility of a webtrees' user to change U/N and P/W if they believe their account has been compromised or they have a different direction they wish to go.

I'm still very confused as to what advantage there is for webtrees? We are a genealogy program and have little intent to encourage sharing a server with other purposes, especially if it puts our data security at even a minimal risk through a back door hook or security weakness in another program.

It does use the same uid/pw, yes. But not necessarily forces the admin to have to implement the ldap feature.

The benefit of Webtrees, is adding authentication flexibility if the Administrator chooses to use it.

I think the debate on security of a user getting compromised still holds true with the existing scheme.

Other than what has been previously collaborated and debated, I think this can be closed unless someone has a desire or initiative to learn how to add the option for ldap.

Regards,

I am also looking for some sort of single sign on support in Webtrees (LDAP, OpenID, etc).

Here's my use case:

I have a set of family web services that we want to use to share photos, have conversations, and archive family history. Many members of the family would want to contribute, but quite a few have trouble keeping track of numerous user accounts when each web service maintains a separate user database.

A single user database for usernames and passwords would make it easier for these users. Also, it would actually be easier to change the password on the family services since they only need to do it once instead of across 4 or 5 different systems.

I can certainly understand if this functionality remains a lower priority, but it is still worthwhile to explain how it would be useful to some.

Thanks for a great piece of genealogy software!

Eric
Sorry, but I can speak with some authority, based on a long relationship with the rest of the team and my understanding of our mission. There will be no unification of login procedures with any other system nor change to our system allowing access by other programs in the foreseeable future. It is not only a security risk, but not on any team member's current agenda. If you need one, you'll have to write or collaborate with someone on creating your own.

I started looking at the code to see how hard it would be to allow LDAP. I think the only thing that would need to be changed would be the authenticateUser function in includes/authentication.php (or check_user_password function in includes/functions/functions_db.php). Those functions take the username and entered password, and compare the password against the password field in the user table. The change would need to check the password against the LDAP database.

I can supply temporary access to an ldap server for testing. This is a move in the right direction for admins of a family based website and want central authentication or if the site contains applications that are separate and do not want to use SSO.

I do believe that you have misunderstood the intent of what they are trying to accomplish. If I own the domain family.com and have family.com/genealogy, family.com/blogs, family.com/forums, etc. for users to view the family tree, write blogs on what their family is doing, and to communicate with each other, I don't want them to have to register for each of those separately, then login separately each visit. I believe that some of the misunderstanding is that you view webtrees as the entire application (which is fair), and many of the users on this thread view it as an integrated part of a larger application (which is also fair). Imagine if Facebook had different logins for viewing images, posting on walls, creating events, etc. No one would use it because it's too much of a pain.

Really, LDAP is just one mean to an end. Another is to alter code to use the same database/table between all sets of code for authentication. Another might be to link accounts together so that when you login in one place, it logs you in in the rest of the applications. Using Facebook or Google for authentication is another.

Usually, integration like this is done by keeping the basic authentication information in the LDAP server while the rest of the meta data about that user (settings, linked GEDCOM, etc.) would still exist in your database. Essentially, this is kind of like object orientation. LDAP would be the base class which handles the very basic authentication and each of the applications are the classes that extend it with meta data controls.

I am currently only using webtrees, so I'm not looking for this right now, but once I get webtrees setup more to my liking, then I will be adding forums with the hopes that I can get my family to become regulars on the site and maybe help. For that to work, I'll need a unified login process, and I'll probably try to link the forums to individuals so that there can be some discussion. Basically, this should be a concern if you would like to encourage integration with other projects.

Hello jmblackmer,



I think Stephen answered this very clearly (post #21) :