[Systers-dev] Considering LDAP and OpenID
Jennifer Redman
jenred at gmail.com
Wed May 27 15:19:09 PDT 2009
Malveeka Tewari is our student leading the Systers GSoC authentication
project. One aspect of the project involves determining if we want to use
LDAP or OpenID (or both) as authentication mechanisms.
To provide a little bit of background, Mailman currently uses pickle files (
http://docs.python.org/library/pickle.html) to store user data. With our
mailman extensions (particularly the dynamic sublist functionality - the
ability to subscribe and unsubscribe from conversations), we use a mix of
default pickle files and a PostgreSQL db to handle the dlist functionality.
Our first step is going to be to extract all the user data from the pickle
files into a SQL Member Adaptor to allow for storage in any sql db, and then
use that data for either LDAP or OpenID authentication or maybe both.
Malveeka came up with some great questions regarding LDAP and OpenID
functionality, she sent them to me previously - but I think they are worthy
of discussion amongst Systers' end-users.
Here are her questions (I'm going to add that we are looking at Mediawiki as
the first application against which we would like to authenticate):
This site provides a comprehensive summary of how openID works:
http://framework.zend.com/manual/en/zend.openid.html#zend.openid.introduction.how
With OpenID, there are two important parties: the OpenID Provider and OpenID
relying party.
Relying party The site that wants to verify the end-user's identifier.
Sometimes also called a "service provider".
Server or server-agent The server that verifies the end-user's identifier.
This may be the end-user's own server (such as their blog), or a server
operated by an identity provider.
As I understand we want to implement an OpenID server as we want our users
to authenticate using mailman and acess other sites.
I am not sure if we want to implement an OpenID relying party for Systers.
Allowing OpenID relying on Systers might mean users can authenticate with
other OpenID providers and access Systers site without having a systers
account. Maybe we want to allow this feature for gaining visibility or may
be this is not desired, I am not sure. (Also, we can implement added
verification on Systers to make sure we allow access to only valid Systers
members) I need your opinion on this.
I will certainly want to implement LDAP enabled access but as I said I would
personally want to begin with the OpenID implementation. However, there
might be reasons to take up the openLDAP approach over OpenID. Here again, I
need feedback from you . For deciding which approach is better, I think we
need to understand
What kind of users are we targetting?
( What users need to do extra in each implementation (LDAP and OpenID) for
them to access other sites. For eg. in the OpenID implementation, they would
need to create their openID identifier. OpenLDAP will not require much user
intervention but will be more complex to implement )
What kind of applications/sites do we wish to extend Systers authentication
support to?
( One disadvantage of OpenID is that the applications we can access with the
OPenID identifier need to be openID enabled as well. However, increasingly
lot of applications/sites are becoming openID enabled.
http://openid.net/where/ They say thereare nearly 10,000 sites that supposrt
openID but these may not be the applications/sites we are actually
interested in)
Security concerns?
(openID is less secure than openLDAP)
### End Malveeka's questions ###
Does anyone feel particularly strongly about using OpenID vs LDAP? My
inclination is that you would need a Systers provided OpenID since we don't
want to open up access to anyone with an OpenID.
Thanks,
Jen
More information about the Systers-dev
mailing list