[SAC] Offering OpenID for OSGeo Users

Frank Warmerdam warmerdam at pobox.com
Mon Jul 30 09:07:50 EDT 2007 

Christopher Schmidt wrote:
> In an effort to make it easier to use OSGeo identities in a
> distributable way, it would be possible to set up a PHP Standalone
> OpenID Server[3] to authenticate against LDAP. 
...
> I started playing with this last night, on geodata.telascience.org
> (which can talk to the LDAP server). I think I'm actually pretty close
> to getting it working, but I don't have root on the box, and the PHP
> settings are to hide all errors, so I'm having a lot of trouble
> debugging it. :)  

Chris,

I think providing openid access to ldap authentication sounds like
a good idea if you can be fairly certain that it isn't going to
introduce security problems.  That is, are you pretty confident of
the stability of the PHP code used to implement this gateway?

Did you do this work referencing ldap.osgeo.org or the ldap used for
the telascience blades?  I didn't think that the telascience blades
currently had access to ldap.osgeo.org at all but I could be behind
the times.

If you are actually working against the wrong ldap now I'd suggest
we give you a test.osgeo.org account (the secondary machine with
the same hardware configuration as www.osgeo.org) and you set it
up there, taking careful note of what would need to be moved.

The test.osgeo.org machine has access to ldap.osgeo.org, and is
configured quite similarly to the main machine so it should be easy
to migrate stuff over.  Once completed, and migrated the
openid.osgeo.org would resolve to the main machine ... the same
system that has the ldap on it.

> Steps to getting this to work:
>  * Getting the error display for PHP truned on, so that the rest of the
>    system can be debugged in its current state. This may involve needing
>    root on some machine to install some packages -- I'm not sure yet.
>    More importantly, a PHP directory I can write to on some server that
>    can talk to LDAP is important
>  * Once the system is up and running, styling the templates to look like
>    the OSGeo homepage.

We aren't really too good at standardized look and feel, and I'd
suggest that doing this for the openid stuff could be pretty low
priority.

>  * Making profile editing links go directly to OSGeo pages, rather than
>    having any internal profile information.

I gather you mean making use of forms like

   https://www.osgeo.org/cgi-bin/auth/ldap_edit_user.py

Is that right?

>  * Cleaning up URLs, so that '/crschmidt' is used instead of
>    ?user=crschmidt

Is this within the PHP openid interface application?

>  * Making the 'this is the profile page for' pages have relevant
>    links:
>    http://crschmidt.net/~crschmidt/PHP-server-1.1/src/?user=crschmidt

Are you suggesting that there should be an informational page
similar to ldap_edit_user.py?  Or is this something you would
do within the openid php stuff?

> I'm willing to do all the work here, so long as someone gives me the
> information on where I need to be doing the work so that I don't screw
> anything up. :)

I'm willing to help a bit.

Best regards,
-- 
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up   | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush    | President OSGeo, http://osgeo.org

More information about the Sac mailing list