[SAC] LDAP in Drupal
Jason Birch
Jason.Birch at nanaimo.ca
Wed Dec 19 16:43:59 EST 2007
Frank wrote:
-----------------
I think this is great news (despite some early concern).
-----------------
I have to say, I still have some concerns. Is running the entire Drupal
auth under a manager role really worth allowing users to reset their own
passwords via Drupal (which is, as I understand it, the only additional
benefit?) Regardless, I think that whatever role Drupal is running
under should have the least possible priveleges required to perform the
necessary functions. Not being an LDAP guru, I don't know what that is,
but we should definitely avoid giving Drupal what amounts to Domain
Administrator role in AD. That's just asking for trouble when/if a
Drupal exploit emerges.
Apart from this concern, I have ongoing lack-of-sleep about
allowing/defaulting-to standard http for authentication of both Drupal
and Trac instances. If there are any mods available to ensure that
logins are only accessed under SSL, I would be feeling a little more
comfortable.
Jason
More information about the Sac
mailing list