[SAC] OSGeo Userid's


For Trac we use OSGeo LDAP userids for authentication. Till now how to get
such a userid or even that they existed has been somewhat mysterious.
Somethat that wasn't much documented partly because we weren't happy with our
management tools.

The GDAL Trac requires users to be authenticated before they can submit a bug
report. For this reason, I feel I have had to "come out of the closet" about
OSGeo userid to some degree, and the http://trac.osgeo.org/gdal wiki page talks
about how to get one using my python userid creation form.

But given that our userid management technology is likely to change quite a bit
over time it seems crazy to embed details about how it works in many places.
For that reason, I have created what I would like to be an authoritative
web page describing how OSGeo Userids work.


It is my wish that all project and other web pages talking about OSGeo userids
could refer to this page which will get updated as things change. So far I
have created an authentication error document setting for trac.osgeo.org that
points to:


which points to the new osgeo_userid page. My hope is that other wikis,
and service error documents can do similarly.

Are there any objections to this approach? Would anyone like to improve the
osgeo_userid page?


Leading on from this, we clearly need improved services for managing osgeo
userids and ldap groups. There is a mechanism for having Drupal have
update support for OSGeo userid's. The downside is that the LDAP master
password needs to be embedded in Drupal's configuration, and I for one am
concerned that it will be accessable to any Drupal content creators which
is a substantial and rapidly growing group. Given that the LDAP server
is our central security lynchpin I think that would be unwise.

If we can't be assured of doing it securely within Drupal I am willing to
prepare simple Python backed forms to do the following operations:

  o Allow a user to edit the details of their own userid, including changing
    the password.
  o Allow a user who has forgotten their password to request a password
    reset, with the updated auto-generated password being sent to them by email.
  o Allowing anyone within a "group" (this is mainly aimed at groups used for
    subversion committer access) to add someone new to the group or remove
    someone. This would allow projects to add committers without SAC
  o Allow listing all the userids in a group.

These services would be implemented as simple forms based cgi scripts in
Python. They would need to include the manager password, but they should
only be readable to those with direct access to the www.osgeo.org server
which is a fairly restricted group. For reasons why the manager password
would be required, see:


I am raising this suggestion for discussion now. If folks are supportive,
I will raise a motion to SAC to do proceed.

Best regards,
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam@pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | President OSGeo, http://osgeo.org