On Fri, Nov 02, 2007 at 03:52:47PM +0100, Martin Spott wrote:
Hi Christopher,
On Thu, Nov 01, 2007 at 08:22:49PM -0400, Christopher Schmidt wrote:
> On Fri, Nov 02, 2007 at 01:01:00AM +0100, Martin Spott wrote:
> > I certainly don't want to sound harsh. Yet I'd like to pronounce my
> > concern which regards running a 'critical' authentication service on a
> > machine that probably only very few SAC members have admin access to,
> > that runs on a single disk with no backup and that offers a login page
> > to transfer unencrypted passwords.
>
> The service should be trivial to set up on any machine that has PHP +
> LDAP Auth, plus MySQL installed.. The code is tarballed and backed up
> described on http://wiki.osgeo.org/index.php/OpenID/SAC .
Several questions come into my mind - mostly resulting from the
impression that this/your OpenID server resembles sort of a black box
at least to me .... I have to admit that I did _not_ take the time (I
simply can't affort the time) to read all the PHP sources from the
backup. Maybe you could help me to get some things clear:
1.) Where is this MySQL dump ?
Inside the tarball, called 'mysqldump'
2.) Why do we need a database for running the OpenID service !? Without
having major insight into this server it tastes a bit like
duplicating authorization data.
The authorization data is not stored. Instead:
* Temporary data for 'nonces' is stored, as the user moves through the
auth process.
* Data about which sites to 'trust' is stored, so that when I login
to a site which I have said "Trust always" to, i don't have to agree
to trust them again.
3.) Do you run SSL encryption on the LDAP connection when you're
verifying users against our user directory ?
Yes.
4.) Would you consider allowing HTTP SSL encryption for your OpenID
login page ?
Sure! I have no problem with it, but we don't have an SSL cert for that
server, and I have absolutely *no* knowledge about (successfully)
configuring SSL certification for a website.
> Note that no/few other OSGeo login services use SSL -- trac, the main
> homepage, etc.
I know, this is still the case, but such deficieny doesn't really make
things better and personally I'm not very much inclined to count this
as a "very good excuse" (TM ![:wink: :wink:](/images/emoji/twitter/wink.png?v=12)
I don't either, but I don't consider it a blocker in releasing the
OpenID service either.
> Okay. Note that nothing has really changed in this regard:
> openid.osgeo.org has been up and running since the end of July. It's not
> a new service, I just actually got reminded I had set it up.
Ah, ok. Yet I'd say things should get straightened out before we start
considering the use of this OpenID service for 'critical' operations.
Personally I'd still prefer doing direct LDAP authentication at least
for OSGeo's _own_ services - and be it simply because I don't have any
experience where to start debugging when OpenID authentication fails.
Sure. I understand and agree: My OpenID suggestion was under the
impression that LDAP auth was hard for technical reasons. Since it's
not, OpenID is only designed for interaction with *remote* sites --
like, for example, the MapBuilder Wiki, or MapServer Plone site, which
don't have access or technical capabilities to allow LDAP logins based
on the OSGeo LDAP directory.
Regards,
--
Christopher Schmidt
MetaCarta