[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 1.3 server setup over the internet
- Subject: Re: 1.3 server setup over the internet
- From: Chris Travers <..hidden..>
- Date: Fri, 22 Jul 2011 14:15:45 -0700
On Fri, Jul 22, 2011 at 1:52 PM, John Griessen <..hidden..> wrote:
> On 07/22/2011 02:39 PM, Chris Travers wrote:
>> SSL is currently supported.
>> The second question has to do with supporting appropriate types of
>> PostgreSQL authentication methods. Do you have a need to authenticate
>> against some form of single sign on server? If so, we can support
>> LDAP and PAM as methods of authentication right now
> I don't have any LDAP server yet. I use PAM with debian linux and am
> switching to ubuntu and will use PAM.
Ok, a little more info is in order here. LedgerSMB 1.3 uses
PostgreSQL's authentication to authenticate users. It passes
credentials ot the db and the db decides whether to authorize the user
or not. PostgreSQL can then be configured to:
1) Accept all authentication requests (really not recommended!)
2) Password authentication against PostgreSQL passwords (recommended
for most users)
3) Password authentication against an external source, like PAM or
LDAP (optional, might make sense for some users)
4) Ticket authentication against Kerberos (not currently supported
but we could add it)
5) Ident authentication (not supported, cannot add it and no benefit
to doing so)
In general right now if it involves passing a username and password to
PostgreSQL, we can support it. If it involves some other credentials
we can probably support it with some effort if the browser can send
the relevant credentials and the web server can receive them unless
there is a reason why this cannot work (like client-side SSL
certificates used for authentication-- I don't think that could work)
>> The thing you have to think about regarding security for an accounting
>> system is the fact that an internet attack can mess up your data in
>> ways that can be painful, but an insider attack is far more dangerous
>> because it can be used to cover for theft, pointing evidence at other
>> people and the like.
> I'm a one person company just now. Soon I'll be using a fab shop separate from
> the house though, so multi location is important for me.
> I'll be setting up some tasks with separation
> of duties accounts and doing them myself and all from one location for a while first...:-)
If you are doing it all yourself, the reason for separation of duties
is to check against errors? Or interfacing with an automated system?
> I've read the manual as far as understanding there are approvals needing to be
> done by another in one mode. That's probably what you are suggesting -- to set
> up with approvals required from the start.
> What user roles make sense to set up?
> You always want chief/CEO/owner as a role, and at least one person who can do
> bookkeeping and needs approvals to post invoices purchase orders, write checks.
> How about web sales or POS bookkeeping? Does that role have different permissions than generic bookkeeping?
There are generic AR, AP, and GL bookkeeping roles. An individual
could be assigned to all three.
> How about inventory counting, shipping? Is there a special bookkeeping role with limited permissions
> you like to create for that set of tasks?
Right now, everything is pretty granular. We are more generally
missing ordinary bookkeeping roles and less generally missing "only
can do this" type roles. However inventory counting currently is
generally done as invoices against dedicated customer/vendor accounts.
I am working on an add-on for counting and adjusting inventory, and
in this regard you;d have one person entering the inventory and
possibly someone else generating the internal invoices accounting for
> John Griessen
> 10 Tips for Better Web Security
> Learn 10 ways to better secure your business today. Topics covered include:
> Web security, SSL, hacker attacks & Denial of Service (DoS), private keys,
> security Microsoft Exchange, secure Instant Messaging, and much more.
> Ledger-smb-users mailing list