[SAC] OSGeo Id creation disabled

Alex Mandel tech_dev at wildintellect.com
Fri Apr 29 20:24:03 PDT 2016 

I just recalled something useful. It would be great if we could
blacklist certain email domains. In particular yopmail and dayrep which
are disposable email addresses (public readable, trashes all mail after
8 days) were used for many of the spam accounts recently. An email
service like that is contradictory to being able to use email recover
passwords when forgotten.

Thanks,
Alex

On 2016-04-29 09:23, Alex M wrote:
> Frank,
> 
> I don't think there's a ticket yet. We should make those 2 items, 2
> different tickets.
> 
> Also I'll make a ticket for me, I'll attempt to spruce up the pages with
> a little OSGeo branding to make them look less sketchy.
> 
> Thanks,
> Alex
> 
> On 04/29/2016 09:18 AM, Frank Warmerdam wrote:
>> Folks,
>>
>> I'm willing to update the LDAP account creation to require email
>> validation.  That is, I'll send out an email and they have to follow
>> the link in the email to confirm before the account is actually
>> created.
>>
>> Is there a SAC ticket on this?  I should be able to do it today or tomorrow.
>>
>> I'll likely also try and put in place self-service password reset
>> using a similar mechanism.
>>
>> Best regards,
>> Frank
>>
>>
>> On Thu, Apr 28, 2016 at 8:05 AM, Alex Mandel <tech_dev at wildintellect.com> wrote:
>>> On 04/28/2016 08:04 AM, Alex Mandel wrote:
>>>> On 04/28/2016 07:19 AM, Alex Mandel wrote:
>>>>> On 04/28/2016 01:41 AM, Sandro Santilli wrote:
>>>>>> On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
>>>>>>
>>>>>>> As a follow-up, we are now looking for someone who wants to improve our
>>>>>>> creation system with Captcha, and/or email confirmation. If you think
>>>>>>> you can build (or modify the existing) such a system to work with our
>>>>>>> LDAP please contact the osgeo System Administration Committee (SAC).
>>>>>>
>>>>>> Should this part be sent on osgeo-discuss ?
>>>>>
>>>>> Maybe, all the people who run sites using this should be on the SAC
>>>>> list. We could add a link to the maintenance page on how to contact SAC.
>>>>>
>>>>>> Anyway, what about doing something simple like asking to enter
>>>>>> a number derived from some request headers ? Like the first
>>>>>> 5 characters of the md5 of the remote ip ...
>>>>>>
>>>>>
>>>>> Yes anything for now that is hard for a bot (since it might get
>>>>> re-written). With a more robust solution later.
>>>>>
>>>>> Thanks,
>>>>> Alex
>>>>
>>>> https://www.ldap-account-manager.org/lamcms/lamPro/features#selfService
>>>>
>>>> Of course the open source variant doesn't have the User Self service
>>>> module...
>>>>
>>>> That's the only pre-built solution I've found so far with user
>>>> self-registration, email verification and user self service password reset.
>>>>
>>>> Keep looking.
>>>>
>>>> Alex
>>>
>>>
>>> Correction, also this
>>> http://ltb-project.org/wiki/documentation/self-service-password
>>>
>>> But it's not clear it has a registration tool.
>>>
>>> Thanks,
>>> Alex
>>>

More information about the Sac mailing list