The following is an email that I sent to some of the folks at Six Apart about two weeks ago. I thought I should share it with the rest of the community.
As we've discussed before, I know that there are corporate customers of yours that are quite anxious for the ability to make use of their existing authentication systems in their blogs. We have also discussed hooking up MT and TypeKey as a start to that, and even developing an LDAP to TK/MT mapping of sorts. For the government customers I see at my day job, and I'm sure plenty of corporate customers as well, relying on something over which they are not in direct control (i.e. TK) is not an option for any number of reasons (e.g. corporate policy, or just not being connected externally at all). Here is my mini-proposal for what I think should be done (and what I would honestly like to do myself).
First, in parallel, support for Apache-based authentication and a native user group/role system need to be implemented. As soon as MT begins allowing in users that did not previously exist internally, the need for a default user configuration becomes apparent. While implementing that as a default set of permissions is an option, it can become a signifcant problem if and when changes to those default permissions need to be changed either for one individual user or for all users. In a small enough installation, it is workable, but in larger organizations being limited to only a single set of default permissions is not going to be an option. All of those problems are avoided by implementing a native group/role system, as one group can be designated as the default group and overall changes can be made to that group to affect everybody, as well changes to individual users can be made without affecting any other group member. In addition, it also sets the stage for the next step.
Finally, support for authentication directly from systems like LDAP/ADS and so forth can be implemented. With the group/role system already implemented, as backend support for external usernames and passwords is added, adding it for the external groups/roles should be relatively simple.
Those are just my thoughts at least. I have already just about implemented the Apache-based authentication, though without any kind of default permissions. I suppose a quick hack could be developed to support that.
And as a bit of an addendum to that, I should also mention that if something like this moves forward, MT will need to move to a more true session handling approach, as opposed to storing the username and password of the current user in a cookie. If nothing else, the group affiliations will need to be cached somewhere else the authentication server will be getting hammered.
; "Feed Stats Widget")
; "Google Referrer")
; "MediaConsumer Template Output")
; "MediaConsumer List Items")
; "MediaConsumer Edit Item")
; "mt-qotd.png")
; "Vox-qotd.png")
This is a major factor in holding up widescale deployment in our business. We manage everyone via AD and would dearly love the ability to authenticate people, manage their group access to weblogs, populate some of their user data from AD etc. The ideal we are shooting for is a self service system that would allow users to create a weblog for themselves or create a group weblog and nominate themself as the managing author - group access could then flow from AD for line of business silos (department/business unit) but there would still be a need for local MT groups that didn't fit this model (cross team collaboration etc.) This also flows into secure RSS/Atom feeds as an output as well. Not that we want masses of hidden weblogs, but there are some instances where this would be useful. Having said all that, it may well be that Wikis gain greater traction more quickly - there's less exposure of the individual... We'll be making the same points to Six Apart (Eur) in a few weeks.
I recently bumped into with MOVABLE TYPE,
and I wonder if someone of you has developed any type of Access Control List (ACL) Plugin. It would be cool to have some content available only to certain people.