[SAC] #103: Move main OSGeo Wiki to OSGeo infrastructure

Martin Spott Martin.Spott at mgras.net
Fri Nov 2 10:52:47 EDT 2007 

Hi Christopher,

On Thu, Nov 01, 2007 at 08:22:49PM -0400, Christopher Schmidt wrote:
> On Fri, Nov 02, 2007 at 01:01:00AM +0100, Martin Spott wrote:

> > I certainly don't want to sound harsh. Yet I'd like to pronounce my
> > concern which regards running a 'critical' authentication service on a
> > machine that probably only very few SAC members have admin access to,
> > that runs on a single disk with no backup and that offers a login page
> > to transfer unencrypted passwords.
> 
> The service should be trivial to set up on any machine that has PHP +
> LDAP Auth, plus MySQL installed.. The code is tarballed and backed up
> described on http://wiki.osgeo.org/index.php/OpenID/SAC .

Several questions come into my mind - mostly resulting from the
impression that this/your OpenID server resembles sort of a black box
at least to me ....  I have to admit that I did _not_ take the time (I
simply can't affort the time) to read all the PHP sources from the
backup. Maybe you could help me to get some things clear:

1.) Where is this MySQL dump ?
2.) Why do we need a database for running the OpenID service !? Without
    having major insight into this server it tastes a bit like
    duplicating authorization data.
3.) Do you run SSL encryption on the LDAP connection when you're
    verifying users against our user directory ?
4.) Would you consider allowing HTTP SSL encryption for your OpenID
    login page ?


> Note that no/few other OSGeo login services use SSL -- trac, the main
> homepage, etc.

I know, this is still the case, but such deficieny doesn't really make
things better and personally I'm not very much inclined to count this
as a "very good excuse" (TM  ;-)

> Okay. Note that nothing has really changed in this regard:
> openid.osgeo.org has been up and running since the end of July. It's not
> a new service, I just actually got reminded I had set it up. 

Ah, ok. Yet I'd say things should get straightened out before we start
considering the use of this OpenID service for 'critical' operations.
Personally I'd still prefer doing direct LDAP authentication at least
for OSGeo's _own_ services - and be it simply because I don't have any
experience where to start debugging when OpenID authentication fails.

Cheerio,
	Martin.
P.S.: I'll be almost totally off-line over this weekend, as we won't
      have internet connection at the Lelysta show.
-- 
 Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

More information about the Sac mailing list