Rodauth: Complexity towards LDAP integration

[Tiago Cardoso]

Hi Jeremy

I'm evaluating the possibility of replacing some internal sinatra/rails apps with roda. I've been reading the official documentation and, albeit quite impressed with roda itself, still have a few doubts with rodauth.

I see a lot of focus of database security (+1 on that), but I don't see clear migration paths regarding features that devise/warden provides. I think you're of the opinion that devise is "unmigrateable" to roda regarding the ammount/complexity of features it provides, but I'd like to understand the clear advantage of using rodauth against something like warden, which simply handles authentication (maybe you have some blog post about it?). 

Also, I'd like to know how integrateable an ldap solution would be in rodauth. I have built 2 internal gems in our organization which add ldap-based authentication, one for devise (using devise_ldap_authenticatable) and one for warden (I wrote the net-ldap boilerplate myself). My question is,is there a clear advantage in creating a third bundle for rodauth? The warden version is already rack-compatible, which means I could already use it in roda. 

As we're talking about an ldap-integrated solution, the concerns on storing password hashes in the database do not exist, as I'm not storing them anyway. 

Maybe you know something about warden design and flaws which I don't and could tell me concrete reasons why to make the switch. Otherwise, I'd be happy to make the switch to roda while still using warden. 

Regards

Tiago 

[Amadeus Folego]

Hi Tiago,

On Wed, Mar 09, 2016 at 10:25:47AM -0800, Tiago Cardoso wrote:
> I see a lot of focus of database security (+1 on that), but I don't see clear
> migration paths regarding features that devise/warden provides. I think you're
> of the opinion that devise is "unmigrateable" to roda regarding the ammount/
> complexity of features it provides, but I'd like to understand the clear
> advantage of using rodauth against something like warden, which simply handles
> authentication (maybe you have some blog post about it?). 

I wrote a simple tutorial on how to integrate warden with Roda.

Of course it does not include LDAP integration, but it's a starting
point.

https://github.com/badosu/Yogurt/wiki/Example:-Adding-authentication

I am using warden on my production environment and still using
`env['warden']`. I need and will probably create a plugin for using
warden with roda (if there isn't one yet).

Best, Amadeus.

[Jeremy Evans]

I use Rodauth with LDAP authentication to Windows Active Directory for all of my internal apps at work.  This requires only overriding password_match? to do an LDAP lookup:

  plugin :rodauth do

    password_match? do |password|

      SimpleLdapAuthenticator.valid?(account.username, password)

    end

  end

SimpleLdapAuthenticator is another one of my libaries: https://github.com/jeremyevans/simple_ldap_authenticator

So Rodauth can definitely work for your use case.  However, there's no reason you have to use Rodauth.  If warden is working for you, you can certainly keep using it.

Thanks,

Jeremy

[Tiago Cardoso]

Nice example. The LDAP gem you linked is unusable for our use case, as we set more parameters on the net-ldap connection and we use ldap roles to handle authorization as well, but the layer handling the LDAP communication in our in-house gem is fairly similar in concept (one method to authenticate), which means that integrating it in rodauth is actually quite easy. I'll probably have to create the LDAP subset into its own gem, as warden is a full dependenvy, and including warden in roda and then end up using rodauth...

But yes, I think the first iteration will rely on warden. Will migrate further after this option has been validated.

Thanks,

Tiago