Need to separate authentication from authorization and clean up auth code


#1

DO NOT DELETE THIS INFORMATION.

Please read this information carefully.

  • [x] Is your install up to date? Updating your install
    Please do not submit an issue if your install is not up to date within the last 24 hours or on a stable monthly release.
  • [ ] Please include all of the information between the ==================================== section of ./validate.php.
  • [ ] If you would like us to add a new device then please provide the information asked for here
  • [x] Please provide as much detail as possible.

I keep running into issues caused by the legacy authentication code that was inherited. I think it is time to do some major cleanup, however I don’t think we can do it right without making backwards-incompatible configuration changes.

  1. We need to separate authentication and authorization
    • Allow users to select different methods for each, ie. HTTP authentication with LDAP authorization
  2. Remove duplicate code
    • ad-authorization.inc.php is a copy of active-directory.inc.php
    • ldap-authorization.inc.php is a copy of ldap.inc.php
    • ldap authorization should be made generic enough to support active directory LDAP
  3. remove any dependencies from alerts/polling on authentication code
    • cache email addresses in database instead of hitting authentication module?
    • allow users to override data from directory?

How would we accomplish this without breaking config format, or how do we alert users before making config changes?