[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)



On 10/3/07, Chris Travers <..hidden..> wrote:


On 10/2/07, David Tangye < ..hidden..> wrote:
On 10/3/07, Chris Travers <..hidden..> wrote:
Perhaps more effort needs to made with the LSMB installer. I still am not running it because it does not install on a standard ubuntu desktop box.
Agreed, at least as far as Windows goes.  But consider Ubuntu.  Do you *really* want us writing global options to your Apache configuration file, possibly ovewriting SSL options, etc?  I think the case can be made that on Linux, the responsibiloity for setting up the servers beyond some basic settings, should be the responsibility of the administrator.

 1. Which global options are you referring to? Any that can't be contained in an application-config file in APACHE_DIR/conf.d/...?

If we want to be truly secure we should require SSL on all connections.

I cant comment on that. I am not up on SSL much at all. Its just been a concept to me for the past year or 10. Sounds like you have it under control. :-)

 2. Ubuntu and many linux distros are focussed on being useable by individuals who would not be considered 'administrators', eg home users and small businesses, eg that currently run Windows. The software has to install itself and take care of itself. If it cant, "it doesn't work" and it gets chucked out again. Are you interested in catering for these users?

If this is a single user machine and you are only going to access the application locally, then the above problem can be resolved by simply requiring that all connections come from localhost by default (which may not be a bad option).  The SSL issue is not a major one.

Great! So I can forget SSL for another 10 years :-). It seems reasonable to me to have the LSMB (Small Medium businesses) deployed with the web server and the db server always are on the same box.

However, if you want to access it over the network, this is going to be a more interesting process, and something which is likely to require some basic skill or assistance to do properly for at least the foreseable future.

Fine. At that point, bring in sysadmins. Bring in bureaucracy . Bring in the whole nine yards. This is no problem for medium to large businesses. and 'God Bless Them' Government Departments.

I suppose one could walk people through a configuration wizard which includes questions like "do you have an X.509 certificate?" but I think the users you are thinking of would be more rather than less confused by this.

Agreed.

--
The Last Great Frontier is in Your Mind