[SAC] Offering OpenID for OSGeo Users

Christopher Schmidt crschmidt at metacarta.com
Mon Jul 30 18:50:20 EDT 2007 

On Mon, Jul 30, 2007 at 09:07:50AM -0400, Frank Warmerdam wrote:
> Christopher Schmidt wrote:
> >In an effort to make it easier to use OSGeo identities in a
> >distributable way, it would be possible to set up a PHP Standalone
> >OpenID Server[3] to authenticate against LDAP. 
> ...
> >I started playing with this last night, on geodata.telascience.org
> >(which can talk to the LDAP server). I think I'm actually pretty close
> >to getting it working, but I don't have root on the box, and the PHP
> >settings are to hide all errors, so I'm having a lot of trouble
> >debugging it. :)  
> 
> Chris,
> 
> I think providing openid access to ldap authentication sounds like
> a good idea if you can be fairly certain that it isn't going to
> introduce security problems.  That is, are you pretty confident of
> the stability of the PHP code used to implement this gateway?

Certainly, insofar as the interaction with LDAP is concerned. The rest
of the code I'm less explicitly familiar with -- I've written the LDAP
integration myself, whereas the rest of it is existing code. However,
I've read through enough of it to feel reasonably confident --
certainly, I've read more of the code, percentagewise, than Drupal ;) 

> Did you do this work referencing ldap.osgeo.org or the ldap used for
> the telascience blades?  I didn't think that the telascience blades
> currently had access to ldap.osgeo.org at all but I could be behind
> the times.

The geodata.telascience one apparently does currently.

> The test.osgeo.org machine has access to ldap.osgeo.org, and is
> configured quite similarly to the main machine so it should be easy
> to migrate stuff over.  Once completed, and migrated the
> openid.osgeo.org would resolve to the main machine ... the same
> system that has the ldap on it.

Is the existing test.osgeo.org server significantly different from
geodata.telascience.org? If so, is it likely to be in a way that
matters to me? 

> >Steps to getting this to work:
> > * Getting the error display for PHP truned on, so that the rest of the
> >   system can be debugged in its current state. This may involve needing
> >   root on some machine to install some packages -- I'm not sure yet.
> >   More importantly, a PHP directory I can write to on some server that
> >   can talk to LDAP is important
> > * Once the system is up and running, styling the templates to look like
> >   the OSGeo homepage.
> 
> We aren't really too good at standardized look and feel, and I'd
> suggest that doing this for the openid stuff could be pretty low
> priority.

I understand that. I also think it's a flaw that I'd like to avoid with
the OpenID system :)

> > * Making profile editing links go directly to OSGeo pages, rather than
> >   having any internal profile information.
> 
> I gather you mean making use of forms like
> 
>   https://www.osgeo.org/cgi-bin/auth/ldap_edit_user.py

Yep. Or possibly just pulling the link out altogether. It's not clear
yet how much of the profile information I'll be able to use --
certainly, no profile information is required at all for OpenID support,
but some sites do support automated filling in of profile information
based on an OpenID extension, so if I can figure out how to get it
loaded into the PHP OpenID framework, that would be great.

> > * Cleaning up URLs, so that '/crschmidt' is used instead of
> >   ?user=crschmidt
> 
> Is this within the PHP openid interface application?

Yes, and/or the .htaccess controlling it.

> > * Making the 'this is the profile page for' pages have relevant
> >   links:
> >   http://crschmidt.net/~crschmidt/PHP-server-1.1/src/?user=crschmidt
> 
> Are you suggesting that there should be an informational page
> similar to ldap_edit_user.py?  Or is this something you would
> do within the openid php stuff?

This is, again, within the OpenID stuff: I just want the page
'http://openid.osgeo.org/crschmidt' to say something like:

"This is the OSGeo OpenID page for Christopher Schmidt. His OSGeo
account page is <a href="http://osgeo.org/user/31">available on the main
osgeo site</a>." 

or something like that.

Thanks for the feedback!

Regards,
-- 
Christopher Schmidt
MetaCarta

More information about the Sac mailing list