[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Re-authentication proposal for LedgerSMB 1.3 (HTTP Auth)





On 10/3/07, Joshua D. Drake <..hidden..> wrote:


We are making this far more complicated that it needs to be. Let's just
make it so ssl is part of the ledgersmb requirements and include the
docs to handle that. We can even include a simple wizard that will
create the postgresql ssl stuff.


Apache/PostgreSQL authentication can still be done via any auth method.  SSL would be nice for this leg but it is not where the issue is (which is between the browser and Apache).
 
So I think we definitely should recommend the use of SSL on that leg, but I am not convinced we can't trust administrators to make intelligent choices here.

Further, we should make it part of the requirements that a user use
https to talk to lsmb as well.


Agreed that this should be  a documented requirement for any access over the network.

One thing we *can* do is change the default configuration to only accept connections to the app on the Apache side from Localhost.  This way they have to knowingly change it.  It is similar to the approach PostgreSQL takes.  You want to run this over a network? You have to explicitly enable it.

That is a simple change and would go a long way to balancing security and newbie installability.

Best Wishes,
Chris Travers


 

Joshua D. Drake


>
> Best Wishes,
> Chris Travers
>
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Ledger-smb-devel mailing list
> ..hidden..
> https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel


- --

      === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564   24x7/Emergency: +1.800.492.2240
PostgreSQL solutions since 1997  http://www.commandprompt.com/
                        UNIQUE NOT NULL
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL Replication: http://www.commandprompt.com/products/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHA82WATb/zqfZUUQRAiBvAKCpiKroIHYtPWn3zlm2mMDF6P0OQQCfeFhv
Fd1u7qN9Kw9DbR3crLUPj98=
=BdAb
-----END PGP SIGNATURE-----

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Ledger-smb-devel mailing list
..hidden..
https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel