[SAC] Wiki, Membership app form & LDAP

Jorge,
this is the link to the current app:
https://www2.osgeo.org/cgi-bin/ldap_create_user.py
Please also join this mailing list.

Martin,
we did not actually get much done yet but Jorge is happy to help out
with the UI stuff and I was able to understand the reason for the
friction between you and Frank, it is simple: There is no reason, it is
just that Frank is concerned that the brittle things he implemented with
limited knowledge about LDAP break when they are extended. Or something
like that.
Could you please repeat your suggestion how to deal with the existing
Wiki accounts, just so that Jorge understand it?

Next we should extend the existing application form (link at the top)
and point the Wiki login there. We might need to look into the LDAP
fields we have now and decide whether they need to be extended. We will
want to have all new users automatically subscribe to announce and maybe
also to discuss mailing lists - but to me this is already a nice to have.

If I got anything wrong please correct or ignore me.

Thanks & best regards,
Arnulf.

--
Exploring Space, Time and Mind
http://arnulf.us

Jorge,
this seems to be the update form:
https://www2.osgeo.org/cgi-bin/auth/ldap_edit_user.py

The corresponding Wiki page is here:
http://wiki.osgeo.org/wiki/SAC:LDAP

Cheers,
Arnulf

On 09/17/2011 05:02 PM, Seven (aka Arnulf) wrote:

Jorge,
this is the link to the current app:
https://www2.osgeo.org/cgi-bin/ldap_create_user.py
Please also join this mailing list.

Martin,
we did not actually get much done yet but Jorge is happy to help out
with the UI stuff and I was able to understand the reason for the
friction between you and Frank, it is simple: There is no reason, it is
just that Frank is concerned that the brittle things he implemented with
limited knowledge about LDAP break when they are extended. Or something
like that.
Could you please repeat your suggestion how to deal with the existing
Wiki accounts, just so that Jorge understand it?

Next we should extend the existing application form (link at the top)
and point the Wiki login there. We might need to look into the LDAP
fields we have now and decide whether they need to be extended. We will
want to have all new users automatically subscribe to announce and maybe
also to discuss mailing lists - but to me this is already a nice to have.

If I got anything wrong please correct or ignore me.

Thanks & best regards,
Arnulf.

--
Exploring Space, Time and Mind
http://arnulf.us

On Sat, Sep 17, 2011 at 05:02:32PM -0600, Seven (aka Arnulf) wrote:

Could you please repeat your suggestion how to deal with the existing
Wiki accounts, just so that Jorge understand it?

Will do - at one of the boring evenings in a hotel this week

Cheers,
  Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

On Sat, Sep 17, 2011 at 05:02:32PM -0600, Seven (aka Arnulf) wrote:

Could you please repeat your suggestion how to deal with the existing
Wiki accounts, just so that Jorge understand it?

I think we're having two options, one which is limited just to a
technical solution, another takes the 'social' implications into
account
The goal is to map current Wiki users to the corresponding counterpart
in our LDAP directory. Thus we need to know about the proper username
pairings - for solving two issues, of which one may be considered as
being a minor one.
1.) I think it would be nice to map the authorship of Wiki edits to the
corresponding LDAP user accounts - nice, but probably not mandatory, as
the authorship is just sort of an 'attribute' to the Wiki edits.
2.) We should take care of assigning the existing Wiki user pages to
their respective owners after we've introduced LDAP authentication to
the Wiki. I consider this issue as being a serious one because it's
about real, precious content. According to the tests I did on a
separate Wiki instance, some of the user pages will just end up without
any owner. Some other user pages might get re-assigned to a different
author, because some people registered their first name on the Wiki
first, some other people registerd the same first name for the LDAP
directory.

Anyhow, we need to find a solution about what to do wrt. the user
pages. Possible solutions could be:

a) Ping every Wiki user, ask them to backup their own user pages until
a date to be determined and purge every user page before we're
migrating the Wiki over to LDAP authentication. This leaves room for
every user to re-establish their user page if preferred.

b) Try to automate the mapping of user pages to the LDAP account names.
Ask every Wiki user to enter their LDAP account name into a custom
field at the Wiki login page, thus creating a list of Wiki-LDAP
username pairings. This would permit us (me) to replace every
occurrence of the respective account names in the current OSGeo
MediaWiki database.

c) Have an additional entry field not only at the current Wiki login
page but also at one of the OSGeo LDAP 'frontends', preferrably at the
LDAP user profile edit page:

  https://www2.osgeo.org/cgi-bin/auth/ldap_edit_user.py

.... where users are asked to enter the corresponding Wiki account
name alongside with their LDAP account name. The purpose of asking the
users twice is to enable us (me) to do a consistency check, making sure
nobody assigns some obscure Wiku user page to serious LDAP user
accounts.

Note, we (I) do _not_ need to establish any additional LDAP attribute,
having a simple plain text list containing the respective account name
pairs is entirely sufficient: One for the Wiki, one for LDAP. Adding
another entry field for the mentioned Python script should be rather
easy, but I don't know how to properly add content to the Wiki login
page. I've tried adding some PHP code which looked reasonable to me,
but ended up in having really strange formatting.

Cheers,
  Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

Hi Martin,

Thanks for the clear explanation.

Maybe email addresses might match better than usernames. Can we use the email addresses in LDAP and in the Wiki to see how many we can match?

I won't be able to do it right now, but tomorrow I can try to see the if the best match is between usernames or email addresses.

Meanwhile, I've started to use LDAP authentication in our local chapter's mediawiki, and the LDAP extension works great. It can read LDAP and update LDAP. Users can change passwords, for example, in the regular wiki way, and passwords are updated on the LDAP.

On Drupal 7.x, only authentication (read) is working "out of the box", with the LDAP extension. The same with wordpress: authentication is working very well, but no LDAP updates "out of the box". Only MediaWiki is updating the LDAP.

Regards,

Jorge Gustavo

On 28-09-2011 10:41, Martin Spott wrote:

On Sat, Sep 17, 2011 at 05:02:32PM -0600, Seven (aka Arnulf) wrote:

Could you please repeat your suggestion how to deal with the existing
Wiki accounts, just so that Jorge understand it?

I think we're having two options, one which is limited just to a
technical solution, another takes the 'social' implications into
account
The goal is to map current Wiki users to the corresponding counterpart
in our LDAP directory. Thus we need to know about the proper username
pairings - for solving two issues, of which one may be considered as
being a minor one.
1.) I think it would be nice to map the authorship of Wiki edits to the
corresponding LDAP user accounts - nice, but probably not mandatory, as
the authorship is just sort of an 'attribute' to the Wiki edits.
2.) We should take care of assigning the existing Wiki user pages to
their respective owners after we've introduced LDAP authentication to
the Wiki. I consider this issue as being a serious one because it's
about real, precious content. According to the tests I did on a
separate Wiki instance, some of the user pages will just end up without
any owner. Some other user pages might get re-assigned to a different
author, because some people registered their first name on the Wiki
first, some other people registerd the same first name for the LDAP
directory.

Anyhow, we need to find a solution about what to do wrt. the user
pages. Possible solutions could be:

a) Ping every Wiki user, ask them to backup their own user pages until
a date to be determined and purge every user page before we're
migrating the Wiki over to LDAP authentication. This leaves room for
every user to re-establish their user page if preferred.

b) Try to automate the mapping of user pages to the LDAP account names.
Ask every Wiki user to enter their LDAP account name into a custom
field at the Wiki login page, thus creating a list of Wiki-LDAP
username pairings. This would permit us (me) to replace every
occurrence of the respective account names in the current OSGeo
MediaWiki database.

c) Have an additional entry field not only at the current Wiki login
page but also at one of the OSGeo LDAP 'frontends', preferrably at the
LDAP user profile edit page:

   https://www2.osgeo.org/cgi-bin/auth/ldap_edit_user.py

.... where users are asked to enter the corresponding Wiki account
name alongside with their LDAP account name. The purpose of asking the
users twice is to enable us (me) to do a consistency check, making sure
nobody assigns some obscure Wiku user page to serious LDAP user
accounts.

Note, we (I) do _not_ need to establish any additional LDAP attribute,
having a simple plain text list containing the respective account name
pairs is entirely sufficient: One for the Wiki, one for LDAP. Adding
another entry field for the mentioned Python script should be rather
easy, but I don't know how to properly add content to the Wiki login
page. I've tried adding some PHP code which looked reasonable to me,
but ended up in having really strange formatting.

Cheers,
  Martin.

Hi Jorge,

On Wed, Sep 28, 2011 at 05:14:28PM +0100, Jorge Gustavo wrote:

Maybe email addresses might match better than usernames. Can we use
the email addresses in LDAP and in the Wiki to see how many we can
match?

Yes, that's an option I was planning to keep for another, independent
consistency check

I won't be able to do it right now, but tomorrow I can try to see
the if the best match is between usernames or email addresses.

This comparison is quite simple. We're having:

3802 Unique EMail addresses in the Wiki, which pass a very simple
    consistency check (containing an "@" sign
5266 Unique EMail addresses in LDAP
697 Matches between Wiki and LDAP EMail addresses

Meanwhile, I've started to use LDAP authentication in our local
chapter's mediawiki, and the LDAP extension works great. It can read
LDAP and update LDAP. Users can change passwords, for example, in
the regular wiki way, and passwords are updated on the LDAP.

Indeed, adding LDAP authentication to MediaWiki is no rocket science,
yet I doubt that I'd really trust MediaWiki to maintain a password for
me which is being used for such a broad range of services, including
sensitive ones

Maybe I'm just paranoid. Anyhow, for whichever web page is being used
for entering/changing not only OSGeo-LDAP but any password I'd
strongly recommend to secure the pages with SSL encryption (via the
SecurePages addon in MediaWiki for example). If you already did that,
consider my remark as a friendly reminder

Cheers,
  Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

Jorge, can you help me get LDAP auth working in Drupal 7? I have an instance set up that I can't get working with OSGeo LDAP, so I'm glad to hear you've had some success. No rush, but ping me if you can.

Likewise, can someone help setup https in apache on the web vm? I'm having a brainfreeze or a technical challenge somehow.

Tyler

On 2011-09-28, at 9:14 AM, Jorge Gustavo wrote:

Hi Martin,

Thanks for the clear explanation.

Maybe email addresses might match better than usernames. Can we use the email addresses in LDAP and in the Wiki to see how many we can match?

I won't be able to do it right now, but tomorrow I can try to see the if the best match is between usernames or email addresses.

Meanwhile, I've started to use LDAP authentication in our local chapter's mediawiki, and the LDAP extension works great. It can read LDAP and update LDAP. Users can change passwords, for example, in the regular wiki way, and passwords are updated on the LDAP.

On Drupal 7.x, only authentication (read) is working "out of the box", with the LDAP extension. The same with wordpress: authentication is working very well, but no LDAP updates "out of the box". Only MediaWiki is updating the LDAP.

Regards,

Jorge Gustavo

On 28-09-2011 10:41, Martin Spott wrote:

On Sat, Sep 17, 2011 at 05:02:32PM -0600, Seven (aka Arnulf) wrote:

Could you please repeat your suggestion how to deal with the existing
Wiki accounts, just so that Jorge understand it?

I think we're having two options, one which is limited just to a
technical solution, another takes the 'social' implications into
account
The goal is to map current Wiki users to the corresponding counterpart
in our LDAP directory. Thus we need to know about the proper username
pairings - for solving two issues, of which one may be considered as
being a minor one.
1.) I think it would be nice to map the authorship of Wiki edits to the
corresponding LDAP user accounts - nice, but probably not mandatory, as
the authorship is just sort of an 'attribute' to the Wiki edits.
2.) We should take care of assigning the existing Wiki user pages to
their respective owners after we've introduced LDAP authentication to
the Wiki. I consider this issue as being a serious one because it's
about real, precious content. According to the tests I did on a
separate Wiki instance, some of the user pages will just end up without
any owner. Some other user pages might get re-assigned to a different
author, because some people registered their first name on the Wiki
first, some other people registerd the same first name for the LDAP
directory.

Anyhow, we need to find a solution about what to do wrt. the user
pages. Possible solutions could be:

a) Ping every Wiki user, ask them to backup their own user pages until
a date to be determined and purge every user page before we're
migrating the Wiki over to LDAP authentication. This leaves room for
every user to re-establish their user page if preferred.

b) Try to automate the mapping of user pages to the LDAP account names.
Ask every Wiki user to enter their LDAP account name into a custom
field at the Wiki login page, thus creating a list of Wiki-LDAP
username pairings. This would permit us (me) to replace every
occurrence of the respective account names in the current OSGeo
MediaWiki database.

c) Have an additional entry field not only at the current Wiki login
page but also at one of the OSGeo LDAP 'frontends', preferrably at the
LDAP user profile edit page:

  https://www2.osgeo.org/cgi-bin/auth/ldap_edit_user.py

.... where users are asked to enter the corresponding Wiki account
name alongside with their LDAP account name. The purpose of asking the
users twice is to enable us (me) to do a consistency check, making sure
nobody assigns some obscure Wiku user page to serious LDAP user
accounts.

Note, we (I) do _not_ need to establish any additional LDAP attribute,
having a simple plain text list containing the respective account name
pairs is entirely sufficient: One for the Wiki, one for LDAP. Adding
another entry field for the mentioned Python script should be rather
easy, but I don't know how to properly add content to the Wiki login
page. I've tried adding some PHP code which looked reasonable to me,
but ended up in having really strange formatting.

Cheers,
  Martin.

_______________________________________________
Sac mailing list
Sac@lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/sac

On Wed, Sep 28, 2011 at 06:54:40PM +0200, Martin Spott wrote:

This comparison is quite simple. We're having:

3802 Unique EMail addresses in the Wiki, which pass a very simple
    consistency check (containing an "@" sign
5266 Unique EMail addresses in LDAP
697 Matches between Wiki and LDAP EMail addresses

Ah, and, by the way, we're also having:

206 EMail addresses in the Wiki with more than one occurrence
208 EMail addresses in LDAP of which
57 have a matching counterpart in the Wiki

Cheers,
  Martin.
--
Unix _IS_ user friendly - it's just selective about who its friends are !
--------------------------------------------------------------------------

On Wed, Sep 28, 2011 at 8:03 PM, Martin Spott <Martin.Spott@mgras.net> wrote:

On Wed, Sep 28, 2011 at 06:54:40PM +0200, Martin Spott wrote:

This comparison is quite simple. We're having:

3802 Unique EMail addresses in the Wiki, which pass a very simple
consistency check (containing an "@" sign
5266 Unique EMail addresses in LDAP
697 Matches between Wiki and LDAP EMail addresses

Unfortunately the wiki is bombed:

http://wiki.osgeo.org/wiki/Special:Log/newusers

Markus

On 01/01/2012 05:29 PM, Markus Neteler wrote:

On Wed, Sep 28, 2011 at 8:03 PM, Martin Spott <Martin.Spott@mgras.net> wrote:

On Wed, Sep 28, 2011 at 06:54:40PM +0200, Martin Spott wrote:

This comparison is quite simple. We're having:

3802 Unique EMail addresses in the Wiki, which pass a very simple
    consistency check (containing an "@" sign
5266 Unique EMail addresses in LDAP
697 Matches between Wiki and LDAP EMail addresses

Unfortunately the wiki is bombed:

http://wiki.osgeo.org/wiki/Special:Log/newusers

Markus

Markus,
thanks for your untiring effort fighting the spammers.

What holds us off from switching to LDAP with the Wiki? From my
perspective it would be good to just go this step asap, even if we have
not addressed all the goodies we were envisaging for the membership
form. In view of the growing pressure from spammers it would be really
good to move.

Plus we should update the Mediawiki instance, it is still running
1.16.5. The 1.18 version is stable for quite some time now.

(((Note: When saying "us" I actually mean "someone not me". I know this
is not good style but my connectivity prevents me from doing any serious
remote stuff.)))

Cheers,
Arnulf

--
Exploring Space, Time and Mind
http://arnulf.us

On Mon, Jan 2, 2012 at 1:28 AM, Seven (aka Arnulf) <seven@arnulf.us> wrote:

On 01/01/2012 05:29 PM, Markus Neteler wrote:

On Wed, Sep 28, 2011 at 8:03 PM, Martin Spott <Martin.Spott@mgras.net> wrote:

On Wed, Sep 28, 2011 at 06:54:40PM +0200, Martin Spott wrote:

This comparison is quite simple. We're having:

3802 Unique EMail addresses in the Wiki, which pass a very simple
consistency check (containing an "@" sign
5266 Unique EMail addresses in LDAP
697 Matches between Wiki and LDAP EMail addresses

Unfortunately the wiki is bombed:

http://wiki.osgeo.org/wiki/Special:Log/newusers

Markus

Markus,
thanks for your untiring effort fighting the spammers.

Right now (29 May 2012, 15:19 UTC) I have added a new editing
captcha (ConfirmEdit) to the wiki. Let's see if that helps to reduce
the number of junk pages (it will not address the registration of bots,
however...).

So, please monitor:
http://wiki.osgeo.org/wiki/Special:RecentChanges

Cheers
Markus

On Tue, May 29, 2012 at 5:29 PM, Markus Neteler <neteler@osgeo.org> wrote:
...

Right now (29 May 2012, 15:19 UTC) I have added a new editing
captcha (ConfirmEdit) to the wiki. Let's see if that helps to reduce
the number of junk pages (it will not address the registration of bots,
however...).

So, please monitor:
http://wiki.osgeo.org/wiki/Special:RecentChanges

Much better! Almost no more junk pages over the past 24 hs
while spambot registration went on...

To combat that, I have activated this technique:
http://www.mediawiki.org/wiki/Anti-spam_features#Blocking_spammer_IPs

I opened a new account "testjunk" and it went through coming from
a "good" IP. Let's monitor if most spambots remain out now...

Greetings from a shaky Northern Italy,
Markus

PS: Sure, we should have done this a year ago...
whoever, to drop all users without a single edit and/or to drop users
based on "well known" IP blocks will be easy to wipe out spambots
from the user list. Something for the migration.