[Systems] SL Central Login (was Re: [Systems-logs] [DNS] Sugar Labs DNS zone data branch, master, updated. 8f472af67a1177a9644675b1fd2c2af7dff2e77a)

[Frederick Grose]

On Tue, Sep 27, 2011 at 4:57 PM, Aleksey Lim <alsroot at activitycentral.org>wrote:

> On Tue, Sep 20, 2011 at 12:42:47PM +0000, Aleksey Lim wrote:
> > I think it will be useful to start settling down the question about
> > common SL login system, At least the system, Sweets[1], whose testing
> version
> > I'm hopping to publicly anounce this week, after trying to do that at
> > Sep 18, will require being authed to release new sofware versions within
> > this new system. For now it uses CAS on top of our LDAP but there are
> > several issues:
> >
> > * to have LDAP record, people need to request for shell account (but
> >   there is no need in shell account for Sweets at all, only being
> >   authenticated)
> > * the process to create this account is not users friendly at all
> >   (email request to RT)
> >
> > I guess we need to collect all info related to central login on, e.g.,
> [2]
> > and have an infrastructure meeting to discuss how [2] might be
> > implemented.
> >
> > [1] http://wiki.sugarlabs.org/go/Platform_Team/Sweets
> > [2] http://wiki.sugarlabs.org/go/Infrastructure_Team/Central_Login
>
> The progress:
>
>  bernie │ here's a proposal:
>  bernie │ 1. we export the mediawiki users db to some text file
> alsroot │ bernie: at least
> http://www.mediawiki.org/wiki/Extension:LDAP_Authentication says about
> creating users in ldap
>  bernie │ 2. we convert this data to ldif
>  bernie │ 3. we import the ldif into ldap (it does not have to be in
> ou=People)
>  bernie │ alsroot: oh! that will save time
>  bernie │ 4. we make CAS fetch users from LDAP
>  bernie │ 5. we make mediawiki authenticate users with CAS (this is what we
> do at the FSF, i know it works well)
>  bernie │ 6. we create a page to setup a new account in LDAP (this could be
> done by mediawiki too if the extension is smart
>        │ enough!)
>  bernie │ alsroot: throwing CAS in the middle makes things more complex,
> but we need this if we want to provide a *single
>        │ *sign-on
> alsroot │ bernie: do you have time to take care about 1-3?
>  bernie │ alsroot: if mediawiki does its own authentication against ldap,
> we have only solved half of the issue: one identity
>        │ instead of many separate ones... but users will still have to type
> in their passwords in each Sugar Labs app
>  bernie │ alsroot: i might look into it this week-end
>  bernie │ alsroot: maybe earlier
> alsroot │ bernie: ok, will experiment w/ wiki-devel for using wiki as a
> users management tool and using cas for login, if will
>        │ manage to finish it, will take a look to merging wiki db
>
> --
> Aleksey


Since 13 July 2010, all new wiki accounts have been required to use OpenID.
 This has greatly reduced wiki abuse.

Many wikis are abused by new account page attacks.  For some reason, those
abusers don't bother with the OpenID authentication.

Will the CAS implementation provide a similar deterrent without imposing a
usability barrier?

Please discuss the effect of the proposed changes on these aspects of
community experience.

Thanks,           --Fred
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sugarlabs.org/private/systems/attachments/20110927/3337f224/attachment.html>