[OGo-Users] Basic Authentication

[Adam Tauno Williams]

--=-8uCnKPqWRvSHmBkNB0Ut
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> I've configured ogo-webui for Basic Authentication. Apache correctly
> verifies the provided username and password.
> What bothers me, is that OpenGroupware seems to check the credentials
> again (after Apache has accepted them)=20

Yep,  configuring basic auth means that OGo performs HTTP Basic
authentication, not that it 'trusts' the inbound credentials.

Real trust is -
http://bugzilla.opengroupware.org/bugzilla/show_bug.cgi?id=3D1121 - and,
AFAIK, isn't being actively worked on.  It also isn't nearly as easily
as it seems at first since the OGo WebUI needs the user's credentials to
do things like connect to the IMAP server.

> and drops me back to the form based login.=20

http://bugzilla.opengroupware.org/bugzilla/show_bug.cgi?id=3D1613

> If the passwords of external authentication source and
> ogo-webui are identical, OpenGroupware grants access. Is this an
> expected behaviour? If so, of what use would Basic Authentication be?

It allows two layers of authentication, providing basic credentials to
an outside/wrapper application while only presenting one password prompt
(assuming the user enters the correct password).  Also some platforms
allow the browser to store basic authentication credentials in a
key-ring allowing a reasonably secure for a user to avoid typing the
password every time,=20

--=-8uCnKPqWRvSHmBkNB0Ut
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQBHhSOCLRePpNle04MRArA4AJ9vLAE/j+ViZxce4HYdQ4/wDaMsNwCfUTuB
fSlomY6kHpWOm/J3SdERNCw=
=o3YI
-----END PGP SIGNATURE-----

--=-8uCnKPqWRvSHmBkNB0Ut--