You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@allura.apache.org by Dave Brondsema <da...@brondsema.net> on 2013/09/06 06:04:12 UTC

Re: allura instance at Apache is UP

On 08/26/2013 11:17 PM, Olemis Lang wrote:
> On 8/26/13, Dave Brondsema <da...@brondsema.net> wrote:
>> On 8/26/13 1:45 PM, Olemis Lang wrote:
>>> On 8/26/13, Rich Bowen <rb...@rcbowen.com> wrote:
>>>> On 08/26/2013 01:04 PM, Rich Bowen wrote:
> [...]
>>>> Is there an LDAP <-> OpenID thing anywhere that would let us use LDAP
>>>> directly as an auth source?
>>>>
>>>
>>> Generally speaking ? gracie
> [...]
>>
>> Good ideas.  I don't see an openid provider listed at
>> http://www.apache.org/dev/services.html but maybe there is one out there, if
>> we
>> ask infra.
>>
> 
> If you find one, please share it on the list for awareness .

I have asked, and there is not one.  There is some good discussion going
on, on the infrastructure@ list.  Unfortunately that's not a public
list, so I can't point you to the archive or repeat it verbatim here.
(Apparently infrastructure-dev@ is public and archived, and better
suited for such discussions - now i know).  Committers can subscribe to
the list now if they want to see any further comments.  Sorry I didn't
mention it here earlier.

Some ideas from the thread so far: access to plaintext passwords to pass
to LDAP isn't safe.  Delegating via OpenID, OAuth, etc is a lot of work
to set up, and hard to secure.  Perhaps an HTTP LDAP-auth proxy that
Infra runs could go in front of Allura.  Dual logins (i.e. both ASF LDAP
& adhoc random users creating accounts on just Allura) could work if
usernames are separated somehow.  For example, by a prefix (e.g. asf-)
or special invalid char (eg. trailing _ on non-asf usernames) and
enforced by custom auth providers.

Its looking promising :)

> 
>> We do have a direct LDAP auth provider in Allura.  But I'm not sure if we
>> can
>> make it work side-by-side with regular usernames.
> 
> AFAICT , OpenId will support using both apache.org as well as external
> IDs to log in to the site ... something I consider important once
> users will be creating tickets against the Allura instance at
> apache.org
> 
> However I am not sure of whether that really matters at all .
> 
> [...]
> 


-- 
Dave Brondsema : dave@brondsema.net
http://www.brondsema.net : personal
http://www.splike.com : programming
               <><