N
N
Nikname_non_name2019-09-21 16:11:59
LDAP
Nikname_non_name, 2019-09-21 16:11:59

How to create a shared authentication database?

Hello! Lord.
How to combine ActiveDirectory, MySQL, LDAP and RADIUS user database for authentication in services:
1. Web site
2. POP3 authentication
3. POP3 authentication before SMTP
3. SSH authentication
4. OpenVPN
5. RDP server
6. AD workstations
7. Minecraft Java Edition Servers
8. Minecraft Bedrock Edition Servers
9. CS:GO server
10. iiS applications
The scenario is something like this, when a user registers on a web site, he specifies a login, password, phone number (without SMS code) (This is important) and an email address (this is important). After registration, the user is created in all databases, gets into the user group, gets user rights in all of the above services, and the data from the registration fields goes into the Active Directory fields. In this case, if the user has forgotten the password, he can go to the recovery page, enter:
1. DOMAIN \ User_Name
2. Phone number
and if the phone matches the one entered during registration, then an SMS with a code comes to it and a tab opens where user can enter:
1. SMS code
2. New password
3. New password confirmation
and if the code is correct, then after that the password will be changed in all databases.
How to implement this and what is needed ?!

Answer the question

In order to leave comments, you need to log in

2 answer(s)
X
xmoonlight, 2019-09-21
@xmoonlight

1. Central storage of authorization data - make RADIUS.
2. The rest - set up to work with it.
3. Create a software trigger that will process events when working with authorization data and provide replication to services that do not support RADIUS integration.
4. For a centralized system of working with an account on a web page, create a script for working with a RADIUS server.

A
athacker, 2019-09-22
@athacker

1) There is no need to merge anything, this is fraught with problems when databases are out of sync with credentials in different (diverse) authentication systems. There should be a single system for checking user credits, and all other systems must check credits through it. AD is suitable for this. Everyone else can go to AD to check credits through LDAPS. Some systems already have AD integration tools - IIS applications, some mail servers, SSH, MySQL (via PAM). For the rest, you may have to code to screw it in.
2) The password reset mechanism that you described allows anyone who knows the phone number (JUST knows, that is, it is not even necessary to have this phone at hand) to change any password and log in under any other account. Are you sure you want this?
Well, in general - read about the concept of SSO - single-sign on. There are already ready-made systems that implement this.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question