www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: Centralised authentication/authorisation
Date Mon, 15 Dec 2008 18:05:07 GMT
Tony Stevenson wrote:

> Exactly, at the moment users manage their shell passwords by logging in 
> and using the timeless 'passwd' command.  :-)

Yep, for those of us that know how, all is good, but for those of us who 
have to somehow figure out how putty works before they can do this, not 
so good. :)

> As for SVN passwords AISTR there is a web interface they can use to 
> reset this.
> So with this in mind, we will likely support both methods by the time we 
> are done. Though in what order/which guise is yet undecided.  A self 
> managing system that allows users to reset their passwords is a nice 
> idea, and if we can sort this, it may go some way to alleviating the 
> pain nearer the times of en-masse logins (i.e. member votes)

I have a solution for this that is ready to go, all it needs is to be 
installed. It does indeed solve much pain and annoyance for end users if 
there is one single canonical way to manage things like passwords.

> Sorry Graham, set what up exactly?  mod_session and sso?
> At the moment we are not looking to rollout support for SSO (and by SSO 
> I mean the definition as it is in the "Scope & Goals" document in SVN. 
> (SVN:Infra\trunk\projects\ldap-project)

The various apps that I have created to do the various bits and pieces 
like change passwords, reset forgotten passwords etc are built on top of 
mod_session. Just because these apps are built on top of mod_session 
does not mean that we are obligated to use mod_session for anything else 
just yet.

Of course you aren't obligated to use mod_session with the apps, but if 
you don't, you get lame behaviour like being asked to suddenly re-log in 
directly after changing your password.

> Cool. We can always come and re-visit this as and when 
> time/desire/requirements allow us.

I predict you will be forced to visit this sooner rather than later, but 
obviously only when you are ready. At the very least an LDAP server is 
required, and we don't have that yet.


View raw message