**LDAP investigation** Idea: * move current typo3.org users from mysqldb to ldap Requirements: * Authenticate frontend and/or backend users using LDAP or Central Authentication Service (CAS). Provide SSO authentication service. Support for OpenLDAP, Active Directory and Novell eDirectory. Handle TLS and SSL (ldaps://). * why are all of these requirements? IMHO we can drop CAS, AD and eDirectory, as well as TLS (if you mean StartTLS by that) ~stg * => (don't know what's in use currently - keep it just as brainstorming only. Meant TLS as SSL follow up) * use SSL encryption between typo3.org and LDAP server * Problem: moving/migrating passwords from phpass (used by typo3.org / MySQL, see \url{http://www.openwall.com/phpass/)} to a format supported by the LDAP implementation, e.g. CRYPT, MD5, SMD5, SSHA and SHA, ... Possible TYPO3 CMS 4.5/6.2 extensions: * most ldap extensions are outdated * may be this one: \url{http://typo3.org/extensions/repository/view/eu\_ldap} > 4.4.11 / 2012 * looking best at the moment: \url{http://typo3.org/extensions/repository/view/ig\_ldap\_sso\_auth} > 6.2.99 / 24.06.2014 (Attention: read \url{http://xavier.perseguers.ch/tutoriels/typo3/articles/ldapactive-directory.html} because extension's manual is poor) * => should not be the case anymore, please suggest changes if needed :) * Open Questions: * is it possible to change a password in TYPO3 and write it back to the LDAP server? * From extension ig\_ldap\_sso\_auth manual: "Records of existing users are updated. For new users imported from the directory random passwords will be inserted!" * => ANSWER: it does not update in LDAP, this is the way it should be done: update method in \url{http://xavier.perseguers.ch/tutoriels/typo3/articles/ldap-backend-for-extbase.html} (a feature request is pending though: \url{https://forge.typo3.org/issues/60208)} * Not at the moment. When logging in the password will be send RSA encrypted to typo3.org. Theoretically it might be possible to get hold of the plaintext password during login and migrate it then. -> Christian Z checks that (it's possible and done like that since LDAP extensions actually need the plain text password to authenticate, it's $password = $this->login['uident\_text']) * when will TYPO3.org be migrated to TYPO3 6.2? * Probably not this year. Differing to our initial knowledge, the Marketing Team does not plan a redesign, so the T3O Team stil needs to decide how to go on. Will be done in the next sprint (end of July) * compatibility with TYPO3 4.5 + TYPO3 6.2 * ig\_ldap\_sso\_auth (4.5 + 6.2), supports FE \& BE users and SSO (does not yet support SSO as you think of it, but even then, won't make sense it case of typo3.org) * eu\_ldap (4.5 ok., 6.2=?) * => The author of eu\_ldap created a new version which is not public, but compatible to TYPO3 6.x: \url{http://www.entios.de/t3/ldap-anbindung/} LDAP server, i.e SLAPD (Standalone LDAP Daemon): * OpenLDAP => \url{http://www.openldap.org/} * (This client API supports * LDAP over TCP (RFC 4511), * LDAP over TLS/SSL, * LDAP over IPC (UNIX domain sockets). This API supports SASL (RFC 4513) and Start TLS (RFC 4513) as well as a number of protocol extensions. This API is loosely based upon IETF/LDAPEXT C LDAP API draft specification, a (orphaned) work in progress.) * 389 Directory Server => \url{http://port389.org/wiki/Main\_Page} * ApacheDS™ - LDAP and Kerberos server written in Java \url{http://directory.apache.org/apacheds/} (via Christian T) * We'll use slapd because it's .deb packages are included in several debian releases (squeeze[old stable], wheezy[stable], jessie[testing], sid[unstable]). and port389 has to be build from the scratch (download *.tgz, configure, make, make install) on debian systems LDAP modules: * SimpleSAMLphp => \url{https://simplesamlphp.org/docs/1.5/ldap:ldap} * KERBEROS => \url{https://wiki.debian.org/LDAP/Kerberos} * => LDAP tools: * Apache Directory Studio, LDIF editor => \url{http://directory.apache.org/studio/} * JXplorer => \url{http://www.jxplorer.org/} * phpLDAPadmin => \url{http://phpldapadmin.sourceforge.net/wiki/index.php/Main\_Page} * LDAP Account Manager => \url{https://www.ldap-account-manager.org/lamcms/} * shelldap => \url{https://bitbucket.org/mahlon/shelldap} * Admin4 => \url{http://www.admin4.org/} * => optional but not required Scripts: - ldapscripts (Simple shell scripts to handle POSIX entries in an LDAP directory) => \url{http://sourceforge.net/projects/ldapscripts/} Next steps: * Decide for TYPO3 LDAP extension (will be used on typo3.org) * Test LDAP environment * Test authentication on TYPO3.org dev site