On 08/26/2013 11:17 PM, Olemis Lang wrote: > On 8/26/13, Dave Brondsema <d...@brondsema.net> wrote: >> On 8/26/13 1:45 PM, Olemis Lang wrote: >>> On 8/26/13, Rich Bowen <rbo...@rcbowen.com> wrote: >>>> On 08/26/2013 01:04 PM, Rich Bowen wrote: > [...] >>>> Is there an LDAP <-> OpenID thing anywhere that would let us use LDAP >>>> directly as an auth source? >>>> >>> >>> Generally speaking ? gracie > [...] >> >> Good ideas. I don't see an openid provider listed at >> http://www.apache.org/dev/services.html but maybe there is one out there, if >> we >> ask infra. >> > > If you find one, please share it on the list for awareness .
I have asked, and there is not one. There is some good discussion going on, on the infrastructure@ list. Unfortunately that's not a public list, so I can't point you to the archive or repeat it verbatim here. (Apparently infrastructure-dev@ is public and archived, and better suited for such discussions - now i know). Committers can subscribe to the list now if they want to see any further comments. Sorry I didn't mention it here earlier. Some ideas from the thread so far: access to plaintext passwords to pass to LDAP isn't safe. Delegating via OpenID, OAuth, etc is a lot of work to set up, and hard to secure. Perhaps an HTTP LDAP-auth proxy that Infra runs could go in front of Allura. Dual logins (i.e. both ASF LDAP & adhoc random users creating accounts on just Allura) could work if usernames are separated somehow. For example, by a prefix (e.g. asf-) or special invalid char (eg. trailing _ on non-asf usernames) and enforced by custom auth providers. Its looking promising :) > >> We do have a direct LDAP auth provider in Allura. But I'm not sure if we >> can >> make it work side-by-side with regular usernames. > > AFAICT , OpenId will support using both apache.org as well as external > IDs to log in to the site ... something I consider important once > users will be creating tickets against the Allura instance at > apache.org > > However I am not sure of whether that really matters at all . > > [...] > -- Dave Brondsema : d...@brondsema.net http://www.brondsema.net : personal http://www.splike.com : programming <><
signature.asc
Description: OpenPGP digital signature
