It looks like we finally have a decent implementation for authenticating
users using LDAP - https://issues.apache.org/jira/browse/OFBIZ-811. This
will allow OFBiz installations to share user names and passwords with
the network.
I would like to expand it further so that OFBiz user permissions can be
managed outside OFBiz - using LDAP directory management tools. It would
be very convenient in an LDAP (or Active Directory) environment to treat
OFBiz user permissions just like any other network resource.
There are other authentication technologies that could be used this way
also - like Single Sign On, Radius, and so forth.
In a previous discussion it was suggested we could put a "mini LDAP
server" within OFBiz to accomplish this. The concept is to have a
network's LDAP server forward requests to OFBiz. OFBiz would then serve
its data in LDAP form.
At first I thought that was a great idea, but now I'm not so sure. I
believe it would be better to consolidate authentication and permission
checking, and then make the whole thing "swap-able." An OFBiz
installation could then swap OFBiz's entity-based user authentication
and permission checking with some other technology - like LDAP, SSO, etc.
The problem with implementing something like this is the way user
authentication and user permissions checking are handled in the existing
code. The two are separate - handled by separate classes in separate
components. In addition, the CRUD services for permissions are in a
third component. Clearly, there needs to be some consolidation.
At the least, we need to have the org.ofbiz.security.Security interface
expanded to have an authentication method and methods for permissions
CRUD operations. Each authentication technology could then have its own
implementation of the interface. An OFBiz installation could be
configured to use any of the available technologies using the
security.context property in the security.properties file.
What do you think?
-Adrian