Hi Sigurd,
This isn't my code, but I understand how some of it works.
On Sun, 2006-10-29 at 13:46 +0100, Sigurd Nes wrote:
> 2) in login.php around line 48 - the password is set to the account_lid
> fetched from the mapping before creating session - is this working?
> (seems like the password is not authenticated in
> class.auth_remoteuser.inc.php - as long as there is a valid mapping of
> the remote user - you're in)
$_SERVER['REMOTE_USER'] is set by apache when a user has been
authenticated using one of the apache authentication modules, such as
mod_auth_sso, mod_auth_ldap or mod_auth_krb5 etc
That is why we just check to see if the value is set and contains a non
empty string. We are never given the password so it can't be validated
that is done by apache (some apache auth modules don't use passwords).
We also have no way of knowing if the value apache provides is forged,
so we have to rely on the security of the apache module code.
I hope this helps to clarify it.
Cheers
Dave
--
Dave Hall (aka skwashd)
API Coordinator
phpGroupWare
e [EMAIL PROTECTED]
w phpgroupware.org
j [EMAIL PROTECTED]
sip [EMAIL PROTECTED]
_ ____ __ __
_ __ | |__ _ __ / ___|_ __ ___ _ _ _ _\ \ / /_ _ _ __ ___
| '_ \| '_ \| '_ \| | _| '__/ _ \| | | | '_ \ \ /\ / / _` | '__/ _ \
| |_) | | | | |_) | |_| | | | (_) | |_| | |_) \ V V / (_| | | | __/
| .__/|_| |_| .__/ \____|_| \___/ \__,_| .__/ \_/\_/ \__,_|_| \___|
|_| |_| |_|Web based collaboration platform
_______________________________________________
phpGroupWare-developers mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/phpgroupware-developers
