Let’s take Mediawiki ( MediaWiki ) for example. It is a piece of software that uses PHP, and has its own login/registration system. Let’s say that a user has a MIAB server, and is also running Mediawiki on Apache.
I have already gone knee-deep in how the system works, and still can’t figure it out very well. Once simply does not
Back a year ago, before I know Single-Sign-On was a thing and Keycloak ( https://www.keycloak.org/ ) was a thing, I was managing/providing tech for a small team of people (10-20), we (I) were running a Mediawiki and I was trying to unify users across several services (Apache passwd whatever-it’s-called, and create Linux users). I created a quick PHP script that would take a user’s plaintext password, hashes it, and stored it in a file. Keep in mind, this was a non-profit cause I was doing work with, so the wasted time wasn’t a big deal.
Little did I know after the meeting was over, Mediawiki plaid favorites with how they hashed their passwords. You should look into it. I learned a lot about hashing, and the default BLOWFISH or whatever it’s called does not work with Mediawiki’s crap. That said, I could not just simply take a hashed password and feed it directly into Mediawiki’s database (MySQL/MariaDB, they had their own database).
You’ll soon realize that it’s a fricking nightmare to shove data from one piece of software into another and call it a user. What’s better is to pick ONE piece of software to maintain users, and use the same or a difference piece of software to communicate between the user management software and other applications, and have all other applications check to make sure a user is authenticated.
This is why authentication standards exist like Oauth, LDAP, OpenID, etc…
I just don’t know what the best model is. Keycloak is supposed to streamline the process, but I haven’t been able to get Keycloak to work with OpenLDAP, and figure out how in the hell it all works.
@murgero, I have tried a handful of times, and have tried to get it working for several hours when I did try, but my knowledge on authentication is very limited. If you can help me out, I’d be willing to try it.