[SAC] Offering OpenID for OSGeo Users

One of the important pieces of the OSGeo infrastructure is the user ID.
It provides the ability for users to login with the same username and
password at various parts of the OSGeo site infrastructure.

There are now applications being developed by OSGeo users which require
login infrastructure. Thankfully, there is a distributed
login/authentication system: "OpenID: an actually distributed identity
system"[1]. OpenID allows you to enter a URL -- like
http://openid.osgeo.org/crschmidt -- into a form like the login form at
SpatialReference.org[2], to indicate your identity.

In an effort to make it easier to use OSGeo identities in a
distributable way, it would be possible to set up a PHP Standalone
OpenID Server[3] to authenticate against LDAP. You can see what sort of
interface this provides at a sample server I've set up[4].
Login as crschmidt:test. You can test logging in at
http://spatialreference.org/openid/, using
'http://crschmidt.net/~crschmidt/PHP-server-1.1/src/?user=crschmidt’ as
your login.

I started playing with this last night, on geodata.telascience.org
(which can talk to the LDAP server). I think I'm actually pretty close
to getting it working, but I don't have root on the box, and the PHP
settings are to hide all errors, so I'm having a lot of trouble
debugging it.

Steps to getting this to work:
* Getting the error display for PHP truned on, so that the rest of the
   system can be debugged in its current state. This may involve needing
   root on some machine to install some packages -- I'm not sure yet.
   More importantly, a PHP directory I can write to on some server that
   can talk to LDAP is important
* Once the system is up and running, styling the templates to look like
   the OSGeo homepage.
* Making profile editing links go directly to OSGeo pages, rather than
   having any internal profile information.
* Cleaning up URLs, so that '/crschmidt' is used instead of
   ?user=crschmidt
* Making the 'this is the profile page for' pages have relevant
   links:
   http://crschmidt.net/~crschmidt/PHP-server-1.1/src/?user=crschmidt

I think that once that is done, the server would need to be put
someplace it could be at openid.osgeo.org, and documenting that OSGeo
IDs are now OpenIDs.

I'm willing to do all the work here, so long as someone gives me the
information on where I need to be doing the work so that I don't screw
anything up.

Looking forward to any thoughts.

[1] http://openid.net/
[2] http://spatialreference.org/openid/
[3] http://www.openidenabled.com/openid/php-standalone-openid-server/
[4] http://crschmidt.net/~crschmidt/PHP-server-1.1/src/
[5] http://geodata.telascience.org/geni/PHP-server-1.1/src/

Regards,
--
Christopher Schmidt
MetaCarta

Christopher Schmidt wrote:

In an effort to make it easier to use OSGeo identities in a
distributable way, it would be possible to set up a PHP Standalone
OpenID Server[3] to authenticate against LDAP.

...

I started playing with this last night, on geodata.telascience.org
(which can talk to the LDAP server). I think I'm actually pretty close
to getting it working, but I don't have root on the box, and the PHP
settings are to hide all errors, so I'm having a lot of trouble
debugging it.

Chris,

I think providing openid access to ldap authentication sounds like
a good idea if you can be fairly certain that it isn't going to
introduce security problems. That is, are you pretty confident of
the stability of the PHP code used to implement this gateway?

Did you do this work referencing ldap.osgeo.org or the ldap used for
the telascience blades? I didn't think that the telascience blades
currently had access to ldap.osgeo.org at all but I could be behind
the times.

If you are actually working against the wrong ldap now I'd suggest
we give you a test.osgeo.org account (the secondary machine with
the same hardware configuration as www.osgeo.org) and you set it
up there, taking careful note of what would need to be moved.

The test.osgeo.org machine has access to ldap.osgeo.org, and is
configured quite similarly to the main machine so it should be easy
to migrate stuff over. Once completed, and migrated the
openid.osgeo.org would resolve to the main machine ... the same
system that has the ldap on it.

Steps to getting this to work:
* Getting the error display for PHP truned on, so that the rest of the
   system can be debugged in its current state. This may involve needing
   root on some machine to install some packages -- I'm not sure yet.
   More importantly, a PHP directory I can write to on some server that
   can talk to LDAP is important
* Once the system is up and running, styling the templates to look like
   the OSGeo homepage.

We aren't really too good at standardized look and feel, and I'd
suggest that doing this for the openid stuff could be pretty low
priority.

* Making profile editing links go directly to OSGeo pages, rather than
   having any internal profile information.

I gather you mean making use of forms like

   https://www.osgeo.org/cgi-bin/auth/ldap_edit_user.py

Is that right?

* Cleaning up URLs, so that '/crschmidt' is used instead of
   ?user=crschmidt

Is this within the PHP openid interface application?

* Making the 'this is the profile page for' pages have relevant
   links:
   http://crschmidt.net/~crschmidt/PHP-server-1.1/src/?user=crschmidt

Are you suggesting that there should be an informational page
similar to ldap_edit_user.py? Or is this something you would
do within the openid php stuff?

I'm willing to do all the work here, so long as someone gives me the
information on where I need to be doing the work so that I don't screw
anything up.

I'm willing to help a bit.

Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | President OSGeo, http://osgeo.org

On Mon, Jul 30, 2007 at 09:07:50AM -0400, Frank Warmerdam wrote:

Christopher Schmidt wrote:
>In an effort to make it easier to use OSGeo identities in a
>distributable way, it would be possible to set up a PHP Standalone
>OpenID Server[3] to authenticate against LDAP.
...
>I started playing with this last night, on geodata.telascience.org
>(which can talk to the LDAP server). I think I'm actually pretty close
>to getting it working, but I don't have root on the box, and the PHP
>settings are to hide all errors, so I'm having a lot of trouble
>debugging it.

Chris,

I think providing openid access to ldap authentication sounds like
a good idea if you can be fairly certain that it isn't going to
introduce security problems. That is, are you pretty confident of
the stability of the PHP code used to implement this gateway?

Certainly, insofar as the interaction with LDAP is concerned. The rest
of the code I'm less explicitly familiar with -- I've written the LDAP
integration myself, whereas the rest of it is existing code. However,
I've read through enough of it to feel reasonably confident --
certainly, I've read more of the code, percentagewise, than Drupal

Did you do this work referencing ldap.osgeo.org or the ldap used for
the telascience blades? I didn't think that the telascience blades
currently had access to ldap.osgeo.org at all but I could be behind
the times.

The geodata.telascience one apparently does currently.

The test.osgeo.org machine has access to ldap.osgeo.org, and is
configured quite similarly to the main machine so it should be easy
to migrate stuff over. Once completed, and migrated the
openid.osgeo.org would resolve to the main machine ... the same
system that has the ldap on it.

Is the existing test.osgeo.org server significantly different from
geodata.telascience.org? If so, is it likely to be in a way that
matters to me?

>Steps to getting this to work:
> * Getting the error display for PHP truned on, so that the rest of the
> system can be debugged in its current state. This may involve needing
> root on some machine to install some packages -- I'm not sure yet.
> More importantly, a PHP directory I can write to on some server that
> can talk to LDAP is important
> * Once the system is up and running, styling the templates to look like
> the OSGeo homepage.

We aren't really too good at standardized look and feel, and I'd
suggest that doing this for the openid stuff could be pretty low
priority.

I understand that. I also think it's a flaw that I'd like to avoid with
the OpenID system

> * Making profile editing links go directly to OSGeo pages, rather than
> having any internal profile information.

I gather you mean making use of forms like

  https://www.osgeo.org/cgi-bin/auth/ldap_edit_user.py

Yep. Or possibly just pulling the link out altogether. It's not clear
yet how much of the profile information I'll be able to use --
certainly, no profile information is required at all for OpenID support,
but some sites do support automated filling in of profile information
based on an OpenID extension, so if I can figure out how to get it
loaded into the PHP OpenID framework, that would be great.

> * Cleaning up URLs, so that '/crschmidt' is used instead of
> ?user=crschmidt

Is this within the PHP openid interface application?

Yes, and/or the .htaccess controlling it.

> * Making the 'this is the profile page for' pages have relevant
> links:
> http://crschmidt.net/~crschmidt/PHP-server-1.1/src/?user=crschmidt

Are you suggesting that there should be an informational page
similar to ldap_edit_user.py? Or is this something you would
do within the openid php stuff?

This is, again, within the OpenID stuff: I just want the page
'http://openid.osgeo.org/crschmidt’ to say something like:

"This is the OSGeo OpenID page for Christopher Schmidt. His OSGeo
account page is <a href="http://osgeo.org/user/31&quot;&gt;available on the main
osgeo site</a>."

or something like that.

Thanks for the feedback!

Regards,
--
Christopher Schmidt
MetaCarta