[SAC] LDAP Management Progress

Frank_Warmerdam · February 12, 2007, 7:40am

Folks,

I have written two simple forms driven python scripts to provide some
minimum level of LDAP management:

The first lets you do simple searches against the ldap database to find
peoples userid. This is necessary to assign Trac bugs to them, add them
to svn groups and so forth. The search is case insensitive against the
cn (common name) field. If no hit is found, it also searches against the
userid and then the email address. I deliberately avoid showing the
email address in the result as I think it may be a privacy concern:

https://www.osgeo.org/cgi-bin/ldap_web_search.py

I think it would be reasonable to require an authenticated user to do
the ldap_web_search.py.

The second script is for creating new users in LDAP. It does only some
minimal validation of inputs it does no email confirmation or anything
similar. So it could definitely be abused.

https://www.osgeo.org/cgi-bin/ldap_create_user.py

I believe Howard is going to use ScriptAlias or something like that to
give these more generic urls.

The forms exhibit my 1995 style cgi programming and styling skills. I don't
intend they be our *permanent* solution, but we have a pressing need for
something now.

Action items:
o Howard to scriptalias them.
o Add appropriate links to the new user script from the main drupal page

Note, these do *not* fulfill the "new member application" requirement, as for
that we need to collect quite a bit of additional information. At the very
least a mailing address and hopefully a lat/long location. We are lacking
a nice interface for managing project groups. For instance, I'd like a
simple form for project leads to add/remove/review the folks in their svn
groups. We also need a form for users to update their info (like email,
full name).

Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | President OSGeo, http://osgeo.org

Tyler_Mitchell2 · February 12, 2007, 9:08pm

On 11-Feb-07, at 11:40 PM, Frank Warmerdam wrote:

Note, these do *not* fulfill the "new member application" requirement, as for
that we need to collect quite a bit of additional information. At the very
least a mailing address and hopefully a lat/long location. We are lacking
a nice interface for managing project groups. For instance, I'd like a
simple form for project leads to add/remove/review the folks in their svn
groups. We also need a form for users to update their info (like email,
full name).

Do you think the new user form should be a bit more hidden until we have our broader member management application ready? I'm just thinking that we could get a bit carried away letting people make their own accounts without some more structure. I seek WebCom approval before creating a new translator user account, but now anyone can create a basic account regardless of approval.

Of course, they don't have any abilities by default though...

Tyler

Frank_Warmerdam · February 12, 2007, 9:29pm

Tyler Mitchell wrote:

On 11-Feb-07, at 11:40 PM, Frank Warmerdam wrote:

Note, these do *not* fulfill the "new member application" requirement, as for
that we need to collect quite a bit of additional information. At the very
least a mailing address and hopefully a lat/long location. We are lacking
a nice interface for managing project groups. For instance, I'd like a
simple form for project leads to add/remove/review the folks in their svn
groups. We also need a form for users to update their info (like email,
full name).

Do you think the new user form should be a bit more hidden until we have our broader member management application ready? I'm just thinking that we could get a bit carried away letting people make their own accounts without some more structure. I seek WebCom approval before creating a new translator user account, but now anyone can create a basic account regardless of approval.

Tyler,

I'm not sure why we should hold bad on people creating accounts for
themselves as long as we don't give them any unusual priveledges by
default. There was nothing holding people back from adding themselves
on CollabNet for instance.

I do see getting an OSGeo userid as being distinct from becoming an
OSGeo Member but I don't see any reason (yet) that we shouldn't let
people get accounts now.

I have deliberately avoided publicising it too widely yet till we
are a bit more comfortable. But I'm hoping we can start listing it
on the main drupal portal page, off the various Trac instances, and so
forth shortly.

Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | President OSGeo, http://osgeo.org