Home Download News FAQ / Knowledge Base Screenshots Documentation Support
philosophical imaginary
Table of Contents

What are the different authentication modes and which one should I use?

The Citadel system offers several different authentication modes, which may be selected during your initial installation. Once you select a mode you should not attempt to change it. Doing so could render your user accounts inaccessible.

The authentication modes available are:

Self-contained authentication

This is the most common type of installation. In this mode, Citadel will maintain its own user database. This is also known in some other circles as “black box” authentication. Note that you can use mod_auth_citadel to integrate other applications with citadel; You don't need ldap for that.

Self-contained authentication is the mode most sites will want to use. It is by far the easiest because it requires zero maintenance and zero external configuration.

Host system integrated authentication

In this mode, Citadel will attempt to authenticate logins using the user database of the underlying host system (Unix or Linux). On a standalone server, this would mean that it uses the user names and passwords stored in the /etc/passwd file. However, some sites are using this mode in combination with PAM (Pluggable Authentication Modules) to enable single sign-on in a NIS environment. It can also be used for LDAP, but this practice is deprecated since we now have two native LDAP authentication modes available.

External LDAP - RFC 2307 compliant directory

In this mode, Citadel will attempt to authenticate logins using an external LDAP directory. The directory schema is expected to conform to the RFC 2307 specification for storing POSIX accounts in LDAP. If your directory is based on OpenLDAP or some other open source product, this is probably the case. It will also work with Microsoft Active Directory if you are running Windows Server 2003 R2 or newer, and have the “Server for NIS” extensions installed.

If you select this mode you will be prompted for the host name or IP address and port number of your LDAP server, along with the base DN, bind DN, and bind password. If you don't know what these mean, then you probably should not be selecting this authentication mode.

External LDAP - nonstandard MS Active Directory

This mode is similar to the standard LDAP mode, but its behavior is modified in certain ways in order to allow it to work with Microsoft's non-standard schema. This mode will work with all versions of Windows Server, but you should use the standard RFC 2307 mode if at all possible. Again, you cannot switch modes once your system is established.

So, which one should I use?

Unless you understand exactly how the external authentication modes work, you should choose self-contained authentication mode.

Copyright © 1987-2020 Uncensored Communications Group. All rights reserved.     Login (site admin)