#2048: [wordpress] Install OpenID plugin
---------------------+----------------------
Reporter: strk | Owner: robe
Type: task | Status: assigned
Priority: normal | Milestone:
Component: WebSite | Keywords:
---------------------+----------------------
See https://wordpress.org/plugins/openid/
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2048>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2048: [wordpress] Install OpenID plugin
---------------------+-----------------------
Reporter: strk | Owner: robe
Type: task | Status: assigned
Priority: normal | Milestone:
Component: WebSite | Resolution:
Keywords: |
---------------------+-----------------------
Comment (by robe):
Why do we need this? Aren't we going to have everyone go thru LDAP except
possibly local admins?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2048#comment:1>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2048: [wordpress] Install OpenID plugin
---------------------+-----------------------
Reporter: strk | Owner: robe
Type: task | Status: assigned
Priority: normal | Milestone:
Component: WebSite | Resolution:
Keywords: |
---------------------+-----------------------
Comment (by strk):
My idea about this is that we won't allow registering as new users
but only associating an OpenID URL to the existing account, as an
additional authentication mechanism.
Also the plugin runs a *provider*, meaning you would be able to
connect to other OpenID accepting services with that OSGeo URL.
Both points are probably useless at the moment so consider this
mostly an experiment/test/idea (not a need)
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2048#comment:2>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2048: [wordpress] Install OpenID plugin
---------------------+-----------------------
Reporter: strk | Owner: robe
Type: task | Status: assigned
Priority: normal | Milestone:
Component: WebSite | Resolution:
Keywords: |
---------------------+-----------------------
Comment (by robe):
strk I made you a wordpress admin, so feel free to install.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2048#comment:3>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2048: [wordpress] Install OpenID plugin
---------------------+-----------------------
Reporter: strk | Owner: robe
Type: task | Status: assigned
Priority: normal | Milestone:
Component: WebSite | Resolution:
Keywords: |
---------------------+-----------------------
Comment (by strk):
I've installed the plugin but it fails by getting a "Forbidden 403 -You
don't have permission to access /wp-login.php on this server." error.
I'm running that plugin in the same version on the same version of
Wordpress and it works fine so must be a configuration issue or
interaction with another plugin (security plugin, maybe ?)
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2048#comment:4>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2048: [wordpress] Install OpenID plugin
---------------------+-----------------------
Reporter: strk | Owner: robe
Type: task | Status: assigned
Priority: normal | Milestone:
Component: WebSite | Resolution:
Keywords: |
---------------------+-----------------------
Comment (by robe):
Perhaps it's interfering with the LDAP WPAuthDir plugin. I suspect each
user can only be authenticated by one plugin.
Is your email etc. the same in open id as it is in LDAP?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2048#comment:5>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2048: [wordpress] Install OpenID plugin
---------------------+-----------------------
Reporter: strk | Owner: robe
Type: task | Status: assigned
Priority: normal | Milestone:
Component: WebSite | Resolution:
Keywords: |
---------------------+-----------------------
Comment (by robe):
I was able to still log in, but I did see the option to log in via OpenId
now so I guess the plugin is installed.
Probably to really test, we'd need to test with an openid account that
doesn't have same login or email as one in system. Probably what happens
is much like when I setup LDAP, it will auto create the account and flag
it to use that authentication thenceforward.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2048#comment:6>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2048: [wordpress] Install OpenID plugin
---------------------+-----------------------
Reporter: strk | Owner: robe
Type: task | Status: assigned
Priority: normal | Milestone:
Component: WebSite | Resolution:
Keywords: |
---------------------+-----------------------
Comment (by strk):
I tried with non-recognized openid and while the error page
was ugly (just a Forbidden) I could read in the URL parameters
a nice error message (something like: "creating new accounts
via openid is not allowed").
What does the wp-auth plugin do ?
Is it the one we use for LDAP ?
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2048#comment:7>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2048: [wordpress] Install OpenID plugin
---------------------+-----------------------
Reporter: strk | Owner: robe
Type: task | Status: assigned
Priority: normal | Milestone:
Component: WebSite | Resolution:
Keywords: |
---------------------+-----------------------
Comment (by robe):
It auto-creates accounts on Login if they don't exist - we are using this
plugin - https://wordpress.org/plugins/wpdirauth/
There was a checkbox for that option though and I think it was turned off
by default. I had to explicitly check it. I confirmed it did create my
new account by renaming my old one first and changing the email on it so
it wouldn't clash.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2048#comment:8>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2048: [wordpress] Install OpenID plugin
---------------------+-----------------------
Reporter: strk | Owner: robe
Type: task | Status: assigned
Priority: normal | Milestone:
Component: WebSite | Resolution:
Keywords: |
---------------------+-----------------------
Comment (by strk):
What created your account ? OpenID or wp-auth ?
What we want it:
- Users can only login as long as a LDAP entry exists
- OpenID can be accepted IFF the user logged in once
via LDAP and specified an OpenID URI.
Now I see this leaves open the possibility for an attacker
to obtain a LDAP account, register an OpenID URI and
survive removal of the account from LDAP, so I guess the
OpenID login we don't really want to enable.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2048#comment:9>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2048: [wordpress] Install OpenID plugin
---------------------+-----------------------
Reporter: strk | Owner: robe
Type: task | Status: assigned
Priority: normal | Milestone:
Component: WebSite | Resolution:
Keywords: |
---------------------+-----------------------
Comment (by robe):
WP-Auth created it. Didn't try Open-ID at all.
The way it works
1) Registration is closed, so from thenceforward there will be no local
accounts except for local admins (I created a local reginaadmin just in
case).
2) LDAP login will create the account on first login (assuming existing
account is not in place with same user id or email)
and will only authenticate LDAP flagged accounts via LDAP (unless the LDAP
server is down) then I think it downgrades to local. Though I haven't
tested that.
I still have yet to convert the remaining local accounts to LDAP. Should
have that done in day or so.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2048#comment:10>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2048: [wordpress] Install OpenID plugin
---------------------+----------------------
Reporter: strk | Owner: robe
Type: task | Status: closed
Priority: normal | Milestone:
Component: WebSite | Resolution: wontfix
Keywords: |
---------------------+----------------------
Changes (by robe):
* status: assigned => closed
* resolution: => wontfix
Comment:
I think we said we aren't going to bother with this so closing it out.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2048#comment:11>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.