[Mageia-sysadm] [LONG] sympa ( and web apps ) ldap authentication

Thu Nov 25 20:54:09 CET 2010

* Romain d'Alverny (rdalverny at gmail.com) wrote:
+> On Thu, Nov 25, 2010 at 18:54, Michael Scherer <misc at zarb.org> wrote:
+> > Le jeudi 25 novembre 2010 à 10:50 +0100, Buchan Milne a écrit :
+> > My point is that we should be consistent. Ie, if we start using
+> > sometimes a username, sometimes a email ( and well, I must say "one of
+> > the numerous email people have", because I am pretty sure that I am not
+> > the only one to have more than 1 email ), this will be annoying.
+> 
+> When we set up my.mandriva.com back in 2005, using the email address
+> instead of login to authenticate has been a big improvement: way less
+> contacts from people saying "I forgot my username" or trying to
+> re-register with an already used email address and a different login
+> (and then failing to do so).
+> 
+> In this case, it may be that the cognitive effort to remember an email
+> address one already uses regularly is easier than the one to remember
+> a username that one may use only to authenticate (actually, that was
+> the hypothesis back at the time).
+
+It is possible to include in catdap a way to receive a reminder about
+users informations from a email.
+
+But the usage of email as login in my.mdv also make my life harder since
+I never remember which one of my 5 emails was used (the same issue apply
+on other website). The worst happend when I had to change my email
+address because it had to disappear.
+
+User must be able to change their email address. Changing the login will
+probaby have side effect, so using email as login is probably a bad
+idea.
+ 
+> > We cannot use email everywhere, since some services do not support it
+> > ( svn+ssh will not accept it, no @ in username IIRC, neither would the
+> > current buildsystem ). And doing translation will be source of
+> > confusion.
+> 
+> Yes, that's a drawback, but an acceptable one I think:
+>  * only for people that will use code repositories and buildsystem; that is,
+>  * you are not forced to allow user identification against a single
+> id; what you need is just something you know identifies the user for
+> sure (if the email unicity and ownership are both proven, that's a
+> pretty good hint). So you can both authenticate against email/pass and
+> login/pass (and even have several email/login for that, if they are
+> checked against first).
+
+We can ensure unicity of login on our side because we have full control,
+but nothing prevent to a company to give same email to several people,
+or to give a previously used email address to a new employee.
+
+If the account become important (sys admin, distrib manager), we then
+cannot ensure who receive the information we send.
+
+-- 
+
+Olivier Thauvin
+CNRS  -  LATMOS
+♖ ♘ ♗ ♕ ♔ ♗ ♘ ♖
+-------------- next part --------------
+A non-text attachment was scrubbed...
+Name: not available
+Type: application/pgp-signature
+Size: 197 bytes
+Desc: not available
+URL: </pipermail/mageia-sysadm/attachments/20101125/7ae6acd8/attachment.asc>
+