SID-01191: LDAP Security
Status: |
Answered |
TWiki version: |
|
Perl version: |
|
Category: |
CategoryAuthentication |
Server OS: |
|
Last update: |
12 years ago |
I'm thinking about using Twiki with my existing LDAP server and I security is my top concern. I saw that Twiki has the ability to use TLS with LDAP which is good. My question is does Twiki store/cache any credential information on the wiki system or the client.
Thank you
--
EricGruber - 2011-05-31
Discussion and Answer
The current
LdapContrib caches user credentials for speed on the twiki server in the
twiki/working/work_areas/LdapContrib
directory. Even with shell access, only the webserver user and root have access to the binary cache file (shell access to TWiki server should be restricted to sysadmins anyway). Login can be configured to require SSL, so the password is encrypted between client and twiki server. Nothing is cached on the client besides a session cookie. I do not recommend using the LdapContrib if you have more then a few thousand LDAP entries, it needs to be redesigned to scale to 10K+ entries. You can
hire a TWiki consultant if the current LdapContrib does not meet your needs.
--
PeterThoeny - 2011-05-31
Is it possible to disable the cache in
LdapContrib?
--
EricGruber - 2011-05-31
Not possible with current version. Again, you can hire a consultant. Open source is about taking
and giving back.
There is an alternative: Apache has LDAP auth module(s).
--
PeterThoeny - 2011-06-01
Basically we want to have users securely connect to the wiki with their LDAP credentials and have access controls configured for certain groups and users. All without the server saving any credential information about the users, even for caching purposes. I understand that the Apache auth modules will do what they say, that is just authorize users. Perhaps this is not possible yet, but I will still look around. Thank you very much for the help btw.
--
EricGruber - 2011-06-01
Closing this question after more than 30 days of inactivity. Feel free to reopen if needed. Consider engaging one of the
TWiki consultants if you need timely help. We invite you to
get involved with the community, it is more likely you get community support if you support the open source project!
--
PeterThoeny - 2011-07-08
If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.