[Systems] SL Central Login (was Re: [Systems-logs] [DNS] Sugar Labs DNS zone data branch, master, updated. 8f472af67a1177a9644675b1fd2c2af7dff2e77a)
Aleksey Lim
alsroot at activitycentral.org
Tue Sep 27 23:11:04 EDT 2011
On Tue, Sep 27, 2011 at 10:35:20PM -0400, Frederick Grose wrote:
> On Tue, Sep 27, 2011 at 4:57 PM, Aleksey Lim <alsroot at activitycentral.org>wrote:
>
> > On Tue, Sep 20, 2011 at 12:42:47PM +0000, Aleksey Lim wrote:
> > > I think it will be useful to start settling down the question about
> > > common SL login system, At least the system, Sweets[1], whose testing
> > version
> > > I'm hopping to publicly anounce this week, after trying to do that at
> > > Sep 18, will require being authed to release new sofware versions within
> > > this new system. For now it uses CAS on top of our LDAP but there are
> > > several issues:
> > >
> > > * to have LDAP record, people need to request for shell account (but
> > > there is no need in shell account for Sweets at all, only being
> > > authenticated)
> > > * the process to create this account is not users friendly at all
> > > (email request to RT)
> > >
> > > I guess we need to collect all info related to central login on, e.g.,
> > [2]
> > > and have an infrastructure meeting to discuss how [2] might be
> > > implemented.
> > >
> > > [1] http://wiki.sugarlabs.org/go/Platform_Team/Sweets
> > > [2] http://wiki.sugarlabs.org/go/Infrastructure_Team/Central_Login
> >
> > The progress:
> >
> > bernie │ here's a proposal:
> > bernie │ 1. we export the mediawiki users db to some text file
> > alsroot │ bernie: at least
> > http://www.mediawiki.org/wiki/Extension:LDAP_Authentication says about
> > creating users in ldap
> > bernie │ 2. we convert this data to ldif
> > bernie │ 3. we import the ldif into ldap (it does not have to be in
> > ou=People)
> > bernie │ alsroot: oh! that will save time
> > bernie │ 4. we make CAS fetch users from LDAP
> > bernie │ 5. we make mediawiki authenticate users with CAS (this is what we
> > do at the FSF, i know it works well)
> > bernie │ 6. we create a page to setup a new account in LDAP (this could be
> > done by mediawiki too if the extension is smart
> > │ enough!)
> > bernie │ alsroot: throwing CAS in the middle makes things more complex,
> > but we need this if we want to provide a *single
> > │ *sign-on
> > alsroot │ bernie: do you have time to take care about 1-3?
> > bernie │ alsroot: if mediawiki does its own authentication against ldap,
> > we have only solved half of the issue: one identity
> > │ instead of many separate ones... but users will still have to type
> > in their passwords in each Sugar Labs app
> > bernie │ alsroot: i might look into it this week-end
> > bernie │ alsroot: maybe earlier
> > alsroot │ bernie: ok, will experiment w/ wiki-devel for using wiki as a
> > users management tool and using cas for login, if will
> > │ manage to finish it, will take a look to merging wiki db
> >
> > --
> > Aleksey
>
>
> Since 13 July 2010, all new wiki accounts have been required to use OpenID.
> This has greatly reduced wiki abuse.
>
> Many wikis are abused by new account page attacks. For some reason, those
> abusers don't bother with the OpenID authentication.
I don't remember, does mediawiki use email verification for creating new
accounts?
> Will the CAS implementation provide a similar deterrent without imposing a
> usability barrier?
At least it should look the same as it was before disabling creating new
users on wiki, i.e., the option to follow cas/ldap way (with having
single login) and using opneid (w/o single login). And ideally for all
SL services.
> Please discuss the effect of the proposed changes on these aspects of
> community experience.
>
> Thanks, --Fred
--
Aleksey
More information about the Systems
mailing list