[Systems] SL Central Login (was Re: [Systems-logs] [DNS] Sugar Labs DNS zone data branch, master, updated. 8f472af67a1177a9644675b1fd2c2af7dff2e77a)
Aleksey Lim
alsroot at activitycentral.org
Tue Sep 27 16:57:07 EDT 2011
On Tue, Sep 20, 2011 at 12:42:47PM +0000, Aleksey Lim wrote:
> I think it will be useful to start settling down the question about
> common SL login system, At least the system, Sweets[1], whose testing version
> I'm hopping to publicly anounce this week, after trying to do that at
> Sep 18, will require being authed to release new sofware versions within
> this new system. For now it uses CAS on top of our LDAP but there are
> several issues:
>
> * to have LDAP record, people need to request for shell account (but
> there is no need in shell account for Sweets at all, only being
> authenticated)
> * the process to create this account is not users friendly at all
> (email request to RT)
>
> I guess we need to collect all info related to central login on, e.g., [2]
> and have an infrastructure meeting to discuss how [2] might be
> implemented.
>
> [1] http://wiki.sugarlabs.org/go/Platform_Team/Sweets
> [2] http://wiki.sugarlabs.org/go/Infrastructure_Team/Central_Login
The progress:
bernie │ here's a proposal:
bernie │ 1. we export the mediawiki users db to some text file
alsroot │ bernie: at least http://www.mediawiki.org/wiki/Extension:LDAP_Authentication says about creating users in ldap
bernie │ 2. we convert this data to ldif
bernie │ 3. we import the ldif into ldap (it does not have to be in ou=People)
bernie │ alsroot: oh! that will save time
bernie │ 4. we make CAS fetch users from LDAP
bernie │ 5. we make mediawiki authenticate users with CAS (this is what we do at the FSF, i know it works well)
bernie │ 6. we create a page to setup a new account in LDAP (this could be done by mediawiki too if the extension is smart
│ enough!)
bernie │ alsroot: throwing CAS in the middle makes things more complex, but we need this if we want to provide a *single
│ *sign-on
alsroot │ bernie: do you have time to take care about 1-3?
bernie │ alsroot: if mediawiki does its own authentication against ldap, we have only solved half of the issue: one identity
│ instead of many separate ones... but users will still have to type in their passwords in each Sugar Labs app
bernie │ alsroot: i might look into it this week-end
bernie │ alsroot: maybe earlier
alsroot │ bernie: ok, will experiment w/ wiki-devel for using wiki as a users management tool and using cas for login, if will
│ manage to finish it, will take a look to merging wiki db
--
Aleksey
More information about the Systems
mailing list