[Systems] SL Central Login (was Re: [Systems-logs] [DNS] Sugar Labs DNS zone data branch, master, updated. 8f472af67a1177a9644675b1fd2c2af7dff2e77a)

[Aleksey Lim]

On Tue, Sep 27, 2011 at 10:35:20PM -0400, Frederick Grose wrote:
> On Tue, Sep 27, 2011 at 4:57 PM, Aleksey Lim <alsroot at activitycentral.org>wrote:
> 
> > On Tue, Sep 20, 2011 at 12:42:47PM +0000, Aleksey Lim wrote:
> > > I think it will be useful to start settling down the question about
> > > common SL login system, At least the system, Sweets[1], whose testing
> > version
> > > I'm hopping to publicly anounce this week, after trying to do that at
> > > Sep 18, will require being authed to release new sofware versions within
> > > this new system. For now it uses CAS on top of our LDAP but there are
> > > several issues:
> > >
> > > * to have LDAP record, people need to request for shell account (but
> > >   there is no need in shell account for Sweets at all, only being
> > >   authenticated)
> > > * the process to create this account is not users friendly at all
> > >   (email request to RT)
> > >
> > > I guess we need to collect all info related to central login on, e.g.,
> > [2]
> > > and have an infrastructure meeting to discuss how [2] might be
> > > implemented.
> > >
> > > [1] http://wiki.sugarlabs.org/go/Platform_Team/Sweets
> > > [2] http://wiki.sugarlabs.org/go/Infrastructure_Team/Central_Login
> >
> > The progress:
> >
> >  bernie │ here's a proposal:
> >  bernie │ 1. we export the mediawiki users db to some text file
> > alsroot │ bernie: at least
> > http://www.mediawiki.org/wiki/Extension:LDAP_Authentication says about
> > creating users in ldap
> >  bernie │ 2. we convert this data to ldif
> >  bernie │ 3. we import the ldif into ldap (it does not have to be in
> > ou=People)
> >  bernie │ alsroot: oh! that will save time
> >  bernie │ 4. we make CAS fetch users from LDAP
> >  bernie │ 5. we make mediawiki authenticate users with CAS (this is what we
> > do at the FSF, i know it works well)
> >  bernie │ 6. we create a page to setup a new account in LDAP (this could be
> > done by mediawiki too if the extension is smart
> >        │ enough!)
> >  bernie │ alsroot: throwing CAS in the middle makes things more complex,
> > but we need this if we want to provide a *single
> >        │ *sign-on
> > alsroot │ bernie: do you have time to take care about 1-3?
> >  bernie │ alsroot: if mediawiki does its own authentication against ldap,
> > we have only solved half of the issue: one identity
> >        │ instead of many separate ones... but users will still have to type
> > in their passwords in each Sugar Labs app
> >  bernie │ alsroot: i might look into it this week-end
> >  bernie │ alsroot: maybe earlier
> > alsroot │ bernie: ok, will experiment w/ wiki-devel for using wiki as a
> > users management tool and using cas for login, if will
> >        │ manage to finish it, will take a look to merging wiki db
> >
> > --
> > Aleksey
> 
> 
> Since 13 July 2010, all new wiki accounts have been required to use OpenID.
>  This has greatly reduced wiki abuse.
> 
> Many wikis are abused by new account page attacks.  For some reason, those
> abusers don't bother with the OpenID authentication.

I don't remember, does mediawiki use email verification for creating new
accounts?

> Will the CAS implementation provide a similar deterrent without imposing a
> usability barrier?

At least it should look the same as it was before disabling creating new
users on wiki, i.e., the option to follow cas/ldap way (with having
single login) and using opneid (w/o single login). And ideally for all
SL services.

> Please discuss the effect of the proposed changes on these aspects of
> community experience.
> 
> Thanks,           --Fred

-- 
Aleksey