[SAC] OSGeo Id creation disabled

Alex M tech_dev at wildintellect.com
Tue May 3 13:05:11 PDT 2016 

Sorry, doesn't seem to be enough, had to disable it again. Trac spamming
still is squashed and I did verify that new accounts since your change
are being used.

Though looking at the rate, makes me think someone is doing it by hand
(although shifting IPs).

Updated ticket.

Thanks,
Alex

On 04/30/2016 01:58 PM, Frank Warmerdam wrote:
> Alex,
> 
> I can do that.
> 
> I have created ticket https://trac.osgeo.org/osgeo/ticket/1665 to
> track my work today.
> 
> hmm, It appears I neglected to send this earlier today when I started
> this work and it is now done, actually using Recaptcha:
> 
> https://www2.osgeo.org/cgi-bin/ldap_create_user.py
> 
> Best regards,
> Frank
> 
> On Fri, Apr 29, 2016 at 8:24 PM, Alex Mandel <tech_dev at wildintellect.com> wrote:
>> I just recalled something useful. It would be great if we could
>> blacklist certain email domains. In particular yopmail and dayrep which
>> are disposable email addresses (public readable, trashes all mail after
>> 8 days) were used for many of the spam accounts recently. An email
>> service like that is contradictory to being able to use email recover
>> passwords when forgotten.
>>
>> Thanks,
>> Alex
>>
>> On 2016-04-29 09:23, Alex M wrote:
>>> Frank,
>>>
>>> I don't think there's a ticket yet. We should make those 2 items, 2
>>> different tickets.
>>>
>>> Also I'll make a ticket for me, I'll attempt to spruce up the pages with
>>> a little OSGeo branding to make them look less sketchy.
>>>
>>> Thanks,
>>> Alex
>>>
>>> On 04/29/2016 09:18 AM, Frank Warmerdam wrote:
>>>> Folks,
>>>>
>>>> I'm willing to update the LDAP account creation to require email
>>>> validation.  That is, I'll send out an email and they have to follow
>>>> the link in the email to confirm before the account is actually
>>>> created.
>>>>
>>>> Is there a SAC ticket on this?  I should be able to do it today or tomorrow.
>>>>
>>>> I'll likely also try and put in place self-service password reset
>>>> using a similar mechanism.
>>>>
>>>> Best regards,
>>>> Frank
>>>>
>>>>
>>>> On Thu, Apr 28, 2016 at 8:05 AM, Alex Mandel <tech_dev at wildintellect.com> wrote:
>>>>> On 04/28/2016 08:04 AM, Alex Mandel wrote:
>>>>>> On 04/28/2016 07:19 AM, Alex Mandel wrote:
>>>>>>> On 04/28/2016 01:41 AM, Sandro Santilli wrote:
>>>>>>>> On Wed, Apr 27, 2016 at 02:42:52PM -0700, Alex M wrote:
>>>>>>>>
>>>>>>>>> As a follow-up, we are now looking for someone who wants to improve our
>>>>>>>>> creation system with Captcha, and/or email confirmation. If you think
>>>>>>>>> you can build (or modify the existing) such a system to work with our
>>>>>>>>> LDAP please contact the osgeo System Administration Committee (SAC).
>>>>>>>>
>>>>>>>> Should this part be sent on osgeo-discuss ?
>>>>>>>
>>>>>>> Maybe, all the people who run sites using this should be on the SAC
>>>>>>> list. We could add a link to the maintenance page on how to contact SAC.
>>>>>>>
>>>>>>>> Anyway, what about doing something simple like asking to enter
>>>>>>>> a number derived from some request headers ? Like the first
>>>>>>>> 5 characters of the md5 of the remote ip ...
>>>>>>>>
>>>>>>>
>>>>>>> Yes anything for now that is hard for a bot (since it might get
>>>>>>> re-written). With a more robust solution later.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Alex
>>>>>>
>>>>>> https://www.ldap-account-manager.org/lamcms/lamPro/features#selfService
>>>>>>
>>>>>> Of course the open source variant doesn't have the User Self service
>>>>>> module...
>>>>>>
>>>>>> That's the only pre-built solution I've found so far with user
>>>>>> self-registration, email verification and user self service password reset.
>>>>>>
>>>>>> Keep looking.
>>>>>>
>>>>>> Alex
>>>>>
>>>>>
>>>>> Correction, also this
>>>>> http://ltb-project.org/wiki/documentation/self-service-password
>>>>>
>>>>> But it's not clear it has a registration tool.
>>>>>
>>>>> Thanks,
>>>>> Alex
>>>>>
>>
>>
> 
> 
>

More information about the Sac mailing list