Add zarb MLs html archivesHEADmaster

1 files changed, 244 insertions, 0 deletions

diff --git a/zarb-ml/mageia-sysadm/2011-April/003372.html b/zarb-ml/mageia-sysadm/2011-April/003372.html
new file mode 100644
index 000000000..1513ef7d5
--- /dev/null
+++ b/zarb-ml/mageia-sysadm/2011-April/003372.html
@@ -0,0 +1,244 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+ <HEAD>
+   <TITLE> [Mageia-sysadm] Users authentication on forums
+   </TITLE>
+   <LINK REL="Index" HREF="index.html" >
+   <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Users%20authentication%20on%20forums&In-Reply-To=%3C1303168244.10561.189.camel%40akroma.ephaone.org%3E">
+   <META NAME="robots" CONTENT="index,nofollow">
+   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+   <LINK REL="Previous"  HREF="003332.html">
+   <LINK REL="Next"  HREF="003400.html">
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+   <H1>[Mageia-sysadm] Users authentication on forums</H1>
+    <B>Michael Scherer</B> 
+    <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20Users%20authentication%20on%20forums&In-Reply-To=%3C1303168244.10561.189.camel%40akroma.ephaone.org%3E"
+       TITLE="[Mageia-sysadm] Users authentication on forums">misc at zarb.org
+       </A><BR>
+    <I>Tue Apr 19 01:10:44 CEST 2011</I>
+    <P><UL>
+        <LI>Previous message: <A HREF="003332.html">[Mageia-sysadm] Users authentication on forums
+</A></li>
+        <LI>Next message: <A HREF="003400.html">[Mageia-sysadm] Users authentication on forums
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#3372">[ date ]</a>
+              <a href="thread.html#3372">[ thread ]</a>
+              <a href="subject.html#3372">[ subject ]</a>
+              <a href="author.html#3372">[ author ]</a>
+         </LI>
+       </UL>
+    <HR>  
+<!--beginarticle-->
+<PRE>Le lundi 11 avril 2011 &#224; 14:39 +0200, nicolas vigier a &#233;crit :
+&gt;<i> Hello,
+</I>&gt;<i> 
+</I>&gt;<i> For authentication on the forums, we are currently using ldap. The user
+</I>&gt;<i> sends his login and passwords to phpbb which use it to authenticate on
+</I>&gt;<i> ldap server. Because of this, someone with root access on the forums
+</I>&gt;<i> server can access password of any user connecting to the forums. And
+</I>&gt;<i> because important passwords are transfered, the connection needs to be
+</I>&gt;<i> in SSL, so the *.mageia.org certificate also needs to be installed. So
+</I>&gt;<i> access to the server needs to be restricted to sysadmin team only, who
+</I>&gt;<i> also need to be able to check what is being done on forums, check it is
+</I>&gt;<i> secure, etc ... And I think this makes forums admins not happy.
+</I>
+Then what about doing like french forums, and not connect at all to our
+ldap.
+
+This let people the whole freedom to do what they want and allow us to
+focus on stuff that we need ( like deploying everything that need to be
+deployed, wiki, bittorrent server, etc, see the bugzilla for list of
+thing to do ).
+
+
+&gt;<i> As we are using ldap for authentication only (not for groups or anything
+</I>&gt;<i> else), 
+</I>
+Usage of group have been proposed in the council meeting tonight. ( for
+having a specific tag on forum ). So ldap access would enable this.
+
+
+&gt;<i> I think we could do authentication differently. Maybe we could
+</I>&gt;<i> setup a mageia OpenID server linked to the ldap server. Then on the
+</I>&gt;<i> forums use OpenID for authentication, when a user enter his login on
+</I>&gt;<i> the forums he is redirected to the mageia OpenID authentication page
+</I>&gt;<i> for the login entered. Then we can disable https on the forums, and
+</I>&gt;<i> forum admins can be root on the forums server. And passwords are better
+</I>&gt;<i> protected in case phpbb has a vulnerability.
+</I>
+Or in case someone go rogue, or has his privileged account compromised. 
+
+&gt;<i> Sysadmin team would manage openid server. And forum team would manage
+</I>&gt;<i> forums server.
+</I>&gt;<i> 
+</I>&gt;<i> I've seen this project for phpbb3 openid authentication (I didn't check
+</I>&gt;<i> if there are others) :
+</I>&gt;<i> <A HREF="http://sourceforge.net/projects/phpbb-openid/">http://sourceforge.net/projects/phpbb-openid/</A>
+</I>&gt;<i> 
+</I>&gt;<i> Login form looks like this :
+</I>&gt;<i> <A HREF="http://sourceforge.net/dbimage.php?id=91989">http://sourceforge.net/dbimage.php?id=91989</A>
+</I>&gt;<i> We would need to modify it to remove Username/Password. Replace &quot;OpenID&quot;
+</I>&gt;<i> with &quot;Mageia login&quot; and automatically use Mageia OpenID server with the
+</I>&gt;<i> login entered. So that each account on the forum is still linked to a
+</I>&gt;<i> Mageia account.
+</I>
+Well, I foresee some problems. People not wanting the exact rational can
+just skip to the end, there is a quick summary :
+
+- we would need to make changes to applications, in a non upstreamable
+way. It was one of the point in favor of ldap , that everything can be
+easy to share. If we start to go this way, we will end like each time we
+go this way, with a huge forked stuff. Packagers learned this the hard
+way more than once. And lack of time + big pile of customization is what
+blocked forum upgrade for years, so I really think we start to learn
+from our past mistakes.
+
+
+- openid/oauth manage the authentication ( and some vcard stuff ) but
+not the autorisation. For example, Transifex ( and others django
+application ) do use ldap groups for autorisation and I think that's
+rather a good idea to manage this using ldap.
+
+While it is not the case right now for forums, as said before, there was
+some discussions about having i18n/packagers/etc people having extended
+rights on some subforums, this would be harder to be done cleanly
+without a ldap access.
+
+
+- moreover, keeping group of people outside of our ldap would make
+various process harder. 
+
+For example, if we want to elect moderators representatives, this would
+be tedious to do it on epoll if the group is stored elsewhere ( it is
+tedious now but there is some bug to fix for that ). If we want to setup
+a ml synced with ldap ( like board-private@ ), this would also cause
+data duplication. Email aliases are also based on ldap group membership,
+etc.
+
+
+- Most web applications will also need to access to email of users for
+various reasons ( like sending email ), most will also store the email
+for later usage. That's personal information that we should also protect
+and I think the various threads on the subject in the past, or the
+recent issue regarding Epsilon, or Google show that enough people care
+about that. We cannot share them with anyone without having this written
+in the privacy policy, ( policy that is still a draft cf bug 452 ) and
+told to users. 
+
+
+- Moreover, if we start to give private informations to 3rd party
+websites, they should IMHO also have a privacy policy, and respect it.
+But yet, we cannot do much to make sure it is enforced or respected,
+unless if we are root. And if we are root on the server, then I see no
+reason to not handle like the others ( ie, puppet etc ). Then we are
+back on the same issues that sparkled the proposal.
+
+
+- As said on irc, there is the security issues. While we can suffer from
+it on our servers too, this would be a wrong way of evaluating the risk.
+If we take for example X external web sites, managed by X different
+group, and the Mageia web applications, there is more attack surface
+( around X+1 time more ) than just having the Mageia applications. And
+unless we can guarantee that all 3rd party admins will be skilled enough
+in the arcane of security, the risk would likely be bigger than smaller.
+
+
+- I think that telling to people &quot;it is ok to give your Mageia password
+for services that are not managed by mageia.org sysadmins&quot; is giving bad
+habits. 
+
+
+- Based on my own experience with Fedora project  openid provider is
+this : 
+  - 1) consumer/relaying party ask for openid provider url
+  - 2) provider ask for login/password 
+  - 3) provider ask to confirm if the request is ok.
+     ie, confirm access to information ( such as name, email, etc ).
+
+Step 1 is one click to load a complete page ( ie the provider form ), 
+even with url hardcoded in our software. I am not sure if it doesn't 
+need the username ( as it is usually embedded in the url ). Point 2 is 
+hard to avoid, so 1 click + filling the form. Point 3 could be bypassed
+automatically by patching the openid provider, but I do think users should 
+be in control of their personal information ( for one ) and should check
+who request the information ( for 2 ), and we should not touch to openid 
+provider ( patching, etc ). So that would make between 3 clicks and 2 forms 
+to 2 clicks and 1 form.
+
+
+- I think the service would be more difficult to scale and replicate than 
+ldap. For ldap, any self respecting library would work without modification, 
+and if not, that's a feature that would be useful to sent upstream if we 
+need to patch. For a stateful http service like openid, this would requires a 
+slightly more complex setup to be redundant, and that mean the service 
+would be more fragile.
+
+
+So to summarize :
+- too intrusive to deploy ( patch )
+- difficult to maintain ( non upstreamable patchs )
+- do not fully respond to some requirements
+- not using ldap would cause integration problem
+- suboptimal ui ( more click required )
+- potential breach of privacy
+- increased security risk
+- difficult to scale, more fragile
+
+I recognize the solution was smart and reusing a standard protocol is quite 
+clever, but the whole situation is more complex than just &quot;delegating 
+authentication should solve the issue&quot;.
+
+
+On the packaging side, if someone want to upload rpms, they have follow 
+the packaging standards to make sure we have good quality packages. 
+Lots of people do not like that ( see MiB, see PcLinuxOs/texstar 
+before ) because that requires more work and they do not see the added 
+values. But that doesn't mean it doesn't exist and I think that all
+packagers agree that's the sanest way to do things. People are still 
+free to not comply, just outside of the distribution.
+
+For infrastructure, that's exactly the same. We do have some procedures, 
+with reasons and benefits to follow them, and yes, I am fairly aware 
+that some people would prefer it done another way. I have read what 
+they said, understood that having to follow some procedure is tedious, 
+requires more work and more time and they would prefer do it another 
+way. Yet, I do not think we should sacrifice integration and 
+maintainability because of that.
+
+I understand that not being root annoy some people ( I got kicked out
+of Mandriva svn administration 1 week ago ), and I also guess that the 
+current way of doing thing is not fast enough. But I am convinced that deploying 
+complex and fragile system to avoid our procedures is not the way to go, or 
+at least, no the way I am willing to follow.
+
+
+-- 
+Michael Scherer
+
+</PRE>
+
+
+
+
+<!--endarticle-->
+    <HR>
+    <P><UL>
+        <!--threads-->
+	<LI>Previous message: <A HREF="003332.html">[Mageia-sysadm] Users authentication on forums
+</A></li>
+	<LI>Next message: <A HREF="003400.html">[Mageia-sysadm] Users authentication on forums
+</A></li>
+         <LI> <B>Messages sorted by:</B> 
+              <a href="date.html#3372">[ date ]</a>
+              <a href="thread.html#3372">[ thread ]</a>
+              <a href="subject.html#3372">[ subject ]</a>
+              <a href="author.html#3372">[ author ]</a>
+         </LI>
+       </UL>
+
+<hr>
+<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
+mailing list</a><br>
+</body></html>