[SAC] #103: Move main OSGeo Wiki to OSGeo infrastructure

[Christopher Schmidt]

On Fri, Nov 02, 2007 at 03:52:47PM +0100, Martin Spott wrote:
> Hi Christopher,
> 
> On Thu, Nov 01, 2007 at 08:22:49PM -0400, Christopher Schmidt wrote:
> > On Fri, Nov 02, 2007 at 01:01:00AM +0100, Martin Spott wrote:
> 
> > > I certainly don't want to sound harsh. Yet I'd like to pronounce my
> > > concern which regards running a 'critical' authentication service on a
> > > machine that probably only very few SAC members have admin access to,
> > > that runs on a single disk with no backup and that offers a login page
> > > to transfer unencrypted passwords.
> > 
> > The service should be trivial to set up on any machine that has PHP +
> > LDAP Auth, plus MySQL installed.. The code is tarballed and backed up
> > described on http://wiki.osgeo.org/index.php/OpenID/SAC .
> 
> Several questions come into my mind - mostly resulting from the
> impression that this/your OpenID server resembles sort of a black box
> at least to me ....  I have to admit that I did _not_ take the time (I
> simply can't affort the time) to read all the PHP sources from the
> backup. Maybe you could help me to get some things clear:
> 
> 1.) Where is this MySQL dump ?

Inside the tarball, called 'mysqldump'

> 2.) Why do we need a database for running the OpenID service !? Without
>     having major insight into this server it tastes a bit like
>     duplicating authorization data.

The authorization data is not stored. Instead:

 * Temporary data for 'nonces' is stored, as the user moves through the
   auth process.
 * Data about which sites to 'trust' is stored, so that when I login
   to a site which I have said "Trust always" to, i don't have to agree
   to trust them again.

> 3.) Do you run SSL encryption on the LDAP connection when you're
>     verifying users against our user directory ?

Yes.

> 4.) Would you consider allowing HTTP SSL encryption for your OpenID
>     login page ?

Sure! I have no problem with it, but we don't have an SSL cert for that
server, and I have absolutely *no* knowledge about (successfully)
configuring SSL certification for a website.

> 
> > Note that no/few other OSGeo login services use SSL -- trac, the main
> > homepage, etc.
> 
> I know, this is still the case, but such deficieny doesn't really make
> things better and personally I'm not very much inclined to count this
> as a "very good excuse" (TM  ;-)

I don't either, but I don't consider it a blocker in releasing the
OpenID service either.

> > Okay. Note that nothing has really changed in this regard:
> > openid.osgeo.org has been up and running since the end of July. It's not
> > a new service, I just actually got reminded I had set it up. 
> 
> Ah, ok. Yet I'd say things should get straightened out before we start
> considering the use of this OpenID service for 'critical' operations.
> Personally I'd still prefer doing direct LDAP authentication at least
> for OSGeo's _own_ services - and be it simply because I don't have any
> experience where to start debugging when OpenID authentication fails.

Sure. I understand and agree: My OpenID suggestion was under the
impression that LDAP auth was hard for technical reasons. Since it's
not, OpenID is only designed for interaction with *remote* sites --
like, for example, the MapBuilder Wiki, or MapServer Plone site, which
don't have access or technical capabilities to allow LDAP logins based
on the OSGeo LDAP directory. 

Regards,
-- 
Christopher Schmidt
MetaCarta