Jaime Gago Condensing Information Systems From the Vapor Of Data

Project Gnomonos: Online Report Cards in Php/MySQL

First, some history background on Gnomonos. It was started in 2005 as a custom Php/MySQL system to suit the needs for Lower School Report Cards at French American International School. Harry Chesley, a parent volunteer, very generously offered to develop the application for free.

The core was originally designed while collaborating with the tech-savvy Curriculum Coordinator, Pascal Vallet.

At that time I had just moved from France to work at French American as Technology Coordinator. In 2006 Pascal Vallet moved to Indonesia (he is now Principal of the EIFB) and I took over as the interface between the Developer and the Administration. The project grew old and I became more and more involved on the system side less on the administrative one. In 2007, Harry officially ended his work on Gnomonos and published on SourceForge.net. The code remained unchanged until September 2009 when we needed to update Gnomonos. It is the change we made in the identification process that I thought might interest some people out there.

Single signing on designs are nothing new and so we looked this way for Gnomonos . At that time we were using Microsoft Exchange for our email domain so we tapped into Active Directory for Authentication via LDAP and then back to Gnomonos for Authorization. Then in 2007 we moved our email domain to the free Google Apps Education Edition but we kept this working login architecture while creating new users in both directories (not good, I know). Since we now rely exclusively on Google for our emails our Active Directory is slowly becoming obsolete (victory!) and so we had to find a way to tap into our Google Domain Directory.

At first I started to look into SAML Single Sign-On (SSO) Service for Google Apps while communicating with Harry Chesley to get his view on this. He did stop developing but he still gives me advice which is quite  lucky as he certainly is a talented coder...Harry came up with a very simple and elegant idea: use IMAP to get the green light from our Google Domain.

What Gnomonos does now when a user logs in is to try and open an IMAP stream to a mailbox and use the result of this as the source for Authentication. All this is done in 2 lines of code via the imap_open php function , so from a security point of view we exclusively rely on Google IMAP implementation (forced SSL) and it feels great =D. From a system point of view we had to change 2 lines of code, add the imap_open function to our webserver and make sure the webserver was able to communicate with google via IMAP (SSL) which basically meant opening port 993 to outgoing connections, and voila! Kudos to BlueHost TechSupport who took less than 24h to make these changes effective on our webserver (Apache).

Being able to switch from one authentication source to another that easily, makes you believe in Open Source like never. So hail to Php/MySQL FOSS and LAMP plateform!

If you are not clear about the difference between Authorization and Authentication read this.

Also you can check this ultra simplified diagram of the login changes made to gnomonos if you click this ->