LDAP for authentication back end

Bismillaahir Rahmaanir Raheem

For a long time now I’ve been wanting to setup an LDAP back end for various Hidayah Online Network resources, especially the Columbus Dawah project.  This has become particularly pressing as the Columbus Dawah website has three primary public services – the blog, the forums, the school.  Additionally, in the future I want to roll out webmail (publicly) for volunteers & administrators within the project.  The problem with running these disparate services is that they all have their own authentication built-in, which means someone needs to register on each site independently to access any services that require one to be logged-in.  Therefore, a system that would unify user authentication for all services (i.e., LDAP) would save a lot of hassle for both the users and myself.

Native support

Naturally, the first challenge is preparing the different software packages that run the various parts of the Columbus Dawah website for utilizing LDAP for authentication purposes.  The relevant bits of software are WordPress for the blog, phpBB for the forums, & Moodle for the school.  Additionally, I will use RoundCube for the webmail, but since it will act as an LDAP client, it will not need any special setup on it’s own – the back end IMAP e-mail server (Dovecot) will be the one that interacts with LDAP.  That will be described in another post, in shaaʾ Allaah.

Of these mentioned bits of software, it appears that only WordPress comes without some kind of native LDAP support.  While this will be a challenge moving forward, one plug-in exists that at least offer some support, but I’m not sure if it’s updated for the latest version(s) of WordPress.

Structure

Although I haven’t finalized it, there is definitely the hope that I can use LDAP for authorization as well as authentication.  While authentication would allow me to let someone login to the site, authorization would allow me to give different users different levels of access.

For example, let’s say we have a simple organization that has three “ranks” of members – member, volunteer, & officer (this is roughly based on the plan I am working on for Columbus Dawah).  Furthermore, we want to grant different levels of access to the site’s resources depending on a user’s rank.  For a regular member, we would like to allow to him to login, post to the forums, post comments on the blog, and enroll in courses in the school.  For a volunteer, we would like to add to that the ability to have an e-mail account.  Finally, for officers, we would like them to have access to make blog posts and create & edit courses in the school.

Authentication alone would only allow us to grant or disallow access site-wide using one account.  Authorization gives us that additional feature of granularity to allow access to some or all of the site based on permissions.  LDAP supports all of this, but it is up to the underlying software to enable such features through LDAP authorization in a way that makes sense for the application.  As all the aforementioned applications have a concept of groups or roles with different sets of permissions or capabilities, and as I intend to utilize such features as the project grows, the ability to authorize users as well as authenticate them is tantalizing at the very least, and down right essential the more I think of it.

Fedora Directory Server

The specific LDAP server I intend on using is the Fedora Directory Server (website).  First and foremost, naturally, it’s open source.  And, the fact that I’m choosing an LDAP server that is related to the Fedora Project really should come as no surprise to anyone with even the slightest familiarity with this blog.

However, FDS is also quite an advanced LDAP server, supporting a slew of enterprise-level features while, according to most accounts, being reasonably easy to work with.  Therefore, it is quite a good choice, and may very well be the best one.  Time will tell how close to the truth that statement is.

What’s next?

So, what’s next?  Well, the most glaring obstacle right now is that I have zero experience working with and/or configuring an LDAP server, so I’m going to start by just playing around with the protocol and see if LDAP will work as smoothly as I hope it will.  If I feel comfortable enough with that, then my first foray into LDAP will likely be to configure my new e-mail server to use it as a backend.  That should prove to be quite interesting, moving forward.  So, stay tuned and I’ll do my best to keep things updated!

Leave a Reply

Your email address will not be published. Required fields are marked *