[SAC] Wiki LDAP Migration

Christopher_Schmidt1 · March 8, 2009, 1:48pm

Hi,

One of the ongoing problems with SAC's administration of user accounts
is the duplication of accounts between the Wiki and the Drupal/LDAP
logins.

It is my understanding that the setup to fix this is largely done, but
this is blocking primarily on 'merging' the wiki accounts with the LDAP
accounts, primarily to main editor history and the like.

Due to the size of the work to merge these accounts, and the limited
amount of time/energy which is available for this, I'd like to propose
that -- assuming that my memory is correct, and LDAP migration is easy
other than this -- we migrate the wiki login system to be LDAP based.

Martin, I believe that the most recent effort in this regard was yours;
can you comment on the current state? Is my memory correct? Would you
be willing to help migrate this authentication mechanism?

Thanks,
--
Christopher Schmidt
MetaCarta

Jason_Birch · March 9, 2009, 4:10pm

Christopher Schmidt wrote:

I'd like to propose that -- assuming that my memory is correct,
and LDAP migration is easy other than this -- we migrate
the wiki login system to be LDAP based.

Can this please be tied in to SSL logins for the wiki? Currently, the
wiki does not respond on 443.

Jason

Christopher_Schmidt1 · March 9, 2009, 5:11pm

On Mon, Mar 09, 2009 at 09:10:47AM -0700, Jason Birch wrote:

Christopher Schmidt wrote:

> I'd like to propose that -- assuming that my memory is correct,
> and LDAP migration is easy other than this -- we migrate
> the wiki login system to be LDAP based.

Can this please be tied in to SSL logins for the wiki? Currently, the
wiki does not respond on 443.

I don't believe that wiki.osgeo.org can be put under our standard SSL
certificate because it is hosted on osgeo2. If you wish to set up a
self-signed cert for this hostname, I can help you make that happen;
what access do you not have? You want to hop on IRC at some point and
walk me through the steps of what to do to set this up?

Regards,
--
Christopher Schmidt
MetaCarta

Martin_Spott · March 9, 2009, 5:24pm

Hi folks, I'll jump into the discussion a bit later this day, I'm just
still a bit too busy.

Cheers,
Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

Jason_Birch · March 9, 2009, 6:47pm

I believe that we have a multi server wildcard SSL certificate from
digicert; it should be possible to back up the cert from osgeo1 and
install it on osgeo2. Although I have absolutely no experience with SSL
on linux, these pages seem to offer some guidance on how to do this:

http://www.digicert.com/import-export-ssl-certificate.htm
http://www.digicert.com/ssl-support/apache-ssl-export.htm
http://www.digicert.com/ssl-certificate-installation-apache.htm

I really think that it would be unwise to allow LDAP authentication in
plain text. Instructions for requiring SSL for login only on Mediawiki
(similar to how we do it with Drupal) are available here:

http://www.mediawiki.org/wiki/Manual:Configuration_tips_and_tricks#HTTPS
_on_Login_only

Jason

-----Original Message-----
From: Christopher Schmidt
Sent: March-09-09 10:12 AM
To: System Administration Committee Discussion/OSGeo
Subject: Re: [SAC] Wiki LDAP Migration

I don't believe that wiki.osgeo.org can be put under our standard SSL
certificate because it is hosted on osgeo2. If you wish to set up a
self-signed cert for this hostname, I can help you make that happen;
what access do you not have? You want to hop on IRC at some point and
walk me through the steps of what to do to set this up?

Christopher_Schmidt1 · March 9, 2009, 7:08pm

On Mon, Mar 09, 2009 at 11:47:26AM -0700, Jason Birch wrote:

I believe that we have a multi server wildcard SSL certificate from
digicert; it should be possible to back up the cert from osgeo1 and
install it on osgeo2. Although I have absolutely no experience with SSL
on linux, these pages seem to offer some guidance on how to do this:

My understanding is that this is not correct, but I also acknowledge
that I'm not knowledgable enough to be the source o this.

http://www.digicert.com/import-export-ssl-certificate.htm
http://www.digicert.com/ssl-support/apache-ssl-export.htm
http://www.digicert.com/ssl-certificate-installation-apache.htm

I really think that it would be unwise to allow LDAP authentication in
plain text. Instructions for requiring SSL for login only on Mediawiki
(similar to how we do it with Drupal) are available here:

We allow LDAP auth over plain text in many different places throughout
our infrastructure. I have no intention of changing that. However, I
accept that people who value their usernames and passwords may care. As
such, I will accept that we should not switch the wiki until we set up
HTTPS.

However, I also realize that this is the same problem we've run into
every time we bring this up. Since I have no interest in doing this
work, I apologize for bringing it up again, and I withdraw the question
regarding moving the wiki over to LDAP logins.

-- Chris

http://www.mediawiki.org/wiki/Manual:Configuration_tips_and_tricks#HTTPS
_on_Login_only

Jason

-----Original Message-----
From: Christopher Schmidt
Sent: March-09-09 10:12 AM
To: System Administration Committee Discussion/OSGeo
Subject: Re: [SAC] Wiki LDAP Migration

I don't believe that wiki.osgeo.org can be put under our standard SSL
certificate because it is hosted on osgeo2. If you wish to set up a
self-signed cert for this hostname, I can help you make that happen;
what access do you not have? You want to hop on IRC at some point and
walk me through the steps of what to do to set this up?
_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/sac

--
Christopher Schmidt
MetaCarta

Martin_Spott · March 9, 2009, 10:14pm

On Mon, Mar 09, 2009 at 11:47:26AM -0700, Jason Birch wrote:

I really think that it would be unwise to allow LDAP authentication in
plain text.

Indeed, by hooking the Wiki authentication onto LDAP we're actually
about exposing our one-fits-all OSGeo accounts to MediaWiki's
trustworthiness. Establishing SSL encryption in the autherntication
handshake should probably considered to be the first step _before_ we
hook all this onto the LDAP directory.
Nevertheless, it's certainly a good idea to add a hook to the LDAP
directory.

We currently have approx. 3k5 pages and 1183 users have done edits.
Every user is being identified by a nickname plus a numeric, this is
easily modifiable in the XML dump. I propose to start by translating
those existing Wiki users into LDAP users which had been supplying a
real name and thus allow easy identification of the respective
counterpart. Those users that remain unclear, which might result in a
pretty large share in the beginning, are going to have a new LDAP user
account added that serves for Wiki authentication only.

Over the time we might ask OSGeo and/or Wiki users to supply a real
name if they did not already do so and thus manage to merge more and
more users.

On Sun, Mar 08, 2009 at 09:48:42AM -0400, Christopher Schmidt wrote:

Martin, I believe that the most recent effort in this regard was yours;
can you comment on the current state? Is my memory correct? Would you
be willing to help migrate this authentication mechanism?

Definitely. I think I should set up another, mostly private Wiki just
for the purpose of checking how LDAP-authenticated users are going to
show up in the XML dump, thus to get some experience about how this
Wiki LDAP authentication had been designed.

Cheers,
Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------