Re: [libreoffice-website] TDF Accounts
Hi Robinson, Jean, Alexander, and everybody else interested in SSO, Am 24.07.2014 um 16:41 schrieb Robinson Tryon: On Thu, Jul 24, 2014 at 6:10 AM, Alexander Werner a...@documentfoundation.org wrote: thats great to hear that you are interested in working on this! I have CC’ed Philipp, how already offered to set up an LDAP server for us. You two might want to get in touch to talk about the details of SSO and OpenID and if it makes sense to deploy not only SSO via LDAP but also run an OpenID server. Woot! This sounds great! OpenID and LDAP both would be worthy of our investigations. I've opened a few todo bugs about moving towards SSO[1], but haven't had time to move forward, so it's nice to hear that others are making strides! Am 21.07.2014 um 20:46 schrieb Jean Spiteri: I am writing this post to inform the community I am interested in taking over a number of Redmine issues which relate to a uniting of the present different user systems used by each TDF service. I did some research and came up with a solution to either use an Single Sign-on system (SSO) or use OpenID to handle the different accounts [...] OK, so everybody feels that reducing the amount of identity databases is worthwhile, so how do we go about it. I'd hate to have a huge discussion about the pro's and cons of each here; I think we'll need to decide based on available volunteer experience. Could everybody who has set up and run in production one of the below please write a short paragraph about the thing they are familiar with, and their experiences ? --- snip --- Quick Terminology recap: LDAP: lightweight directory access protocol, stores user credentials and can be used as SSSO OpenID: solution for authentication delegation, web-based SSO, RADIUS / SASL for web sites OAuth: similar thing for web services, out of scope here (related to OpenID Connect) SSO: single sign-on, log in once and use multiple services SSSO: single source of sign-on, use the same credentials for multiple services --- snap --- My background here is mostly with LDAP (in the context of a directory, and as SSSO), with a little bit of kerberos thrown in (which can be used to make the whole thing SSO, but that doesn't work well in the web beyond intranets). Most of my experience is in running an OpenLDAP server, though I'm willing to investigate 389DS for DocFound, if we feel a more modern self-service web interface is needed. (Does anybody have experience running Gosa² or similar ?) Connecting services to the directory is a pain in each individual instance, so I'd like to see a list of services that actually should use this shared user database. I'll start: - libo machines' admin users - redmine [2] (shouldn't be much harder than trac, which I've done) The report in [2] also talks about bugzilla, which I think will be a major pain in either case, so I'm not listing it here as realistic. [2] https://redmine.documentfoundation.org/issues/308 On the topic of SSO via OpenID, I'd like to point to a similar discussion happening in Gnome currently. [3] [4] [3] https://www.dragonsreach.it/2014/08/05/back-from-guadec-2014/ [4] http://patrick.uiterwijk.org/2014/07/28/gnome-authentication/ [5] https://id.gnome.org/ If we go for web-based SSO, I like the interface that canonical is running (login.ubuntu.com / login.launchpad.net) - two seperate login pages using the same credentials database, which is a horrible hack for legacy reasons. But the interface seems well-integrated, and I can ask my browser to keep cookies from a single site. On the backend side: most of these let's deploy a web-SSO solutions run on a relational database in the backend, which I'm not too keen on for security reasons. The admins would need to make sure there's a dedicated, well-secured database server. If anybody knows one that can use LDAP as a credentials store, please point it out. still quoting Jean: with the ultimate aim to reduce the burden which comes from having an additional user account (needing to remember credentials, etc.). I'd explicitly name reducing administrator / moderator burden as well. If this creates more work, we'll not establish a solution that will be maintained and used long-term. Cheers Philipp -- Philipp Kaluza Ghostroute IT Consulting -- To unsubscribe e-mail to: website+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/website/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-website] TDF Accounts
Hi, just very quickly jumping in here, I sadly lack time for details right now (but your work on that is a lot appreciated!): Mailing list subscriptions/prefs?? (right now there's no user-interface GUI at all) We run mlmmj, I doubt there is any support for SSO. A web interface would need to be programmed, unfortunately. There is a very basic one, but I didn't touch it for a long time. * the OTRS page (which will be replaced?) Yep, will vanish soon. :) Florian -- To unsubscribe e-mail to: website+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/website/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-website] TDF Accounts
On Sun, Aug 10, 2014 at 12:41 PM, Philipp Kaluza fl...@ghostroute.eu wrote: Hi Robinson, Jean, Alexander, and everybody else interested in SSO, :-) I'd hate to have a huge discussion about the pro's and cons of each here; I think we'll need to decide based on available volunteer experience. Available experience is helpful, but I think we shouldn't dismiss something new if we think that it's the best path forward. Connecting services to the directory is a pain in each individual instance, so I'd like to see a list of services that actually should use this shared user database. I'll start: - libo machines' admin users - redmine [2] (shouldn't be much harder than trac, which I've done) AskLibreOffice, Gerrit, and Redmine all use/support OpenID right now. Additional services that should/could use shared user database: MozTrap Silverstripe (?) Conference site Conference registration (if separate) ownCloud TDF Wiki Mailing list subscriptions/prefs?? (right now there's no user-interface GUI at all) The report in [2] also talks about bugzilla, which I think will be a major pain in either case, so I'm not listing it here as realistic. [2] https://redmine.documentfoundation.org/issues/308 Bugzilla would be a huge win for us, especially as it's one of our primary mechanisms for interaction w/users. It would also allow us to do some nifty things between Bugzilla/AskLbireOffice in the future. On the topic of SSO via OpenID, I'd like to point to a similar discussion happening in Gnome currently. [3] [4] [3] https://www.dragonsreach.it/2014/08/05/back-from-guadec-2014/ [4] http://patrick.uiterwijk.org/2014/07/28/gnome-authentication/ [5] https://id.gnome.org/ Wow! That's sounding pretty awesome, especially the integration with Bugzilla and ownCloud, as we use those services as well. Good thing that we're friends with the Gnome folks...maybe we can invite them for a chat :-) If we go for web-based SSO, I like the interface that canonical is running (login.ubuntu.com / login.launchpad.net) - two seperate login pages using the same credentials database, which is a horrible hack for legacy reasons. But the interface seems well-integrated, and I can ask my browser to keep cookies from a single site. Yeah, don't get me started on what happened with Launchpad/Ubuntu One/whatever. Lesson learned: Make sure that your users know what's changing and how before you re-brand or change systems around. On the backend side: most of these let's deploy a web-SSO solutions run on a relational database in the backend, which I'm not too keen on for security reasons. The admins would need to make sure there's a dedicated, well-secured database server. If anybody knows one that can use LDAP as a credentials store, please point it out. What would be the alternative for storing data on the backend? still quoting Jean: with the ultimate aim to reduce the burden which comes from having an additional user account (needing to remember credentials, etc.). I'd explicitly name reducing administrator / moderator burden as well. If this creates more work, we'll not establish a solution that will be maintained and used long-term. Yes, simplifying burden for admins/mods is another big piece of the puzzle. To speak directly to both Jean's point and Philipp's point, many of the inquiries we receive regarding AskLibreOffice are related to login problems and/or a desire not to have to trust a 3rd party for an OpenID server. If we run our own identiy server and provide centralized, documented instructions on how to log-in, I think we'd greatly improve the user and moderator experience with multiple pieces of our infra. Best, --R -- Robinson Tryon LibreOffice Community Outreach Herald Senior QA Bug Wrangler The Document Foundation qu...@libreoffice.org -- To unsubscribe e-mail to: website+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/website/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-website] TDF Accounts
Hi *, Am 10.08.2014 19:49, schrieb Robinson Tryon: On Sun, Aug 10, 2014 at 12:41 PM, Philipp Kaluza fl...@ghostroute.eu wrote: Connecting services to the directory is a pain in each individual instance, so I'd like to see a list of services that actually should use this shared user database. I'll start: - libo machines' admin users - redmine [2] (shouldn't be much harder than trac, which I've done) AskLibreOffice, Gerrit, and Redmine all use/support OpenID right now. Additional services that should/could use shared user database: MozTrap Silverstripe (?) Conference site Conference registration (if separate) ownCloud TDF Wiki Mailing list subscriptions/prefs?? (right now there's no user-interface GUI at all) well we have some more low-priority pages: * Help-Wiki (5 or 6 accounts which is rather easy with an extension!) * Plone Sites (Template and Extension site) * the OTRS page (which will be replaced?) Best, --R Regards, Dennis Roczek -- To unsubscribe e-mail to: website+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/website/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-website] TDF Accounts
Hi Jean, thats great to hear that you are interested in working on this! I have CC’ed Philipp, how already offered to set up an LDAP server for us. You two might want to get in touch to talk about the details of SSO and OpenID and if it makes sense to deploy not only SSO via LDAP but also run an OpenID server. Alex -- Alexander Werner a...@documentfoundation.org Admin Team of The Document Foundation The Document Foundation, Kurfürstendamm 188, 10707 Berlin Rechtsfähige Stiftung des bürgerlichen Rechts Legal details: http://www.documentfoundation.org/imprint -- To unsubscribe e-mail to: website+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/website/ All messages sent to this list will be publicly archived and cannot be deleted
Re: [libreoffice-website] TDF Accounts
On Thu, Jul 24, 2014 at 6:10 AM, Alexander Werner a...@documentfoundation.org wrote: Hi Jean, thats great to hear that you are interested in working on this! I have CC’ed Philipp, how already offered to set up an LDAP server for us. You two might want to get in touch to talk about the details of SSO and OpenID and if it makes sense to deploy not only SSO via LDAP but also run an OpenID server. Woot! This sounds great! OpenID and LDAP both would be worthy of our investigations. I've opened a few todo bugs about moving towards SSO[1], but haven't had time to move forward, so it's nice to hear that others are making strides! Cheers, --R [1] https://redmine.documentfoundation.org/issues/65 -- Robinson Tryon LibreOffice Community Outreach Herald Senior QA Bug Wrangler The Document Foundation qu...@libreoffice.org -- To unsubscribe e-mail to: website+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/website/ All messages sent to this list will be publicly archived and cannot be deleted
[libreoffice-website] TDF Accounts
I am writing this post to inform the community I am interested in taking over a number of Redmine issues which relate to a uniting of the present different user systems used by each TDF service. I did some research and came up with a solution to either use an Single Sign-on system (SSO) or use OpenID to handle the different accounts with the ultimate aim to reduce the burden which comes from having an additional user account (needing to remember credentials, etc.). I thought that I would ask for the opinion of the community to decide whether we go down the OpenID or the SSO route. Personally, I prefer the SSO route, because of the true one account part, but I am listing advantages and disadvantages for each approach. *Advantages of SSO* - One set of user credentials to remember - One admin interface *Disadvantages of SSO* - Dependence of one service to access all others - If an account is hacked, all services will be vulnerable - Might take longer to develop since a lot of touching code and research has to be done *Advantages of OpenID* - Some services have out-of-the-box support - Accounts might be used in other sites *Disadvantages of OpenID* - Most likely will have to depend on a library to provide OpenIDs - Some services might still need registration after OpenID to complete the profile I think there might be other advantages and disadvantages so if anyone technical can add to the discussion, please do. I am interested in doing this if we go the SSO way and may try to do it if we go the OpenID way. Just to note, that by OpenID I mean providing OpenID ourselves. This topic is just for discussion purposes so no formal decisions should be taken on this. I will also try to talk with other persons more connected with Infra to advice throughout the process. I think a week should be enough to decide about this and I would then give further details about the implementation. Of course any help is accepted, just tell me. -- View this message in context: http://nabble.documentfoundation.org/TDF-Accounts-tp4116291.html Sent from the Website mailing list archive at Nabble.com. -- To unsubscribe e-mail to: website+unsubscr...@global.libreoffice.org Problems? http://www.libreoffice.org/get-help/mailing-lists/how-to-unsubscribe/ Posting guidelines + more: http://wiki.documentfoundation.org/Netiquette List archive: http://listarchives.libreoffice.org/global/website/ All messages sent to this list will be publicly archived and cannot be deleted