[Systers-dev] Considering LDAP and OpenID

Sarah Mei sarahmei at gmail.com
Wed May 27 17:13:51 PDT 2009 

Sorry if I'm coming into this conversation late.

Is the goal to allow single sign-on to several Systers-related sites,
for Systers members, without making them register for each site?

And/or, do you want to allow Systers to use the Systers OpenID
provider for other services that take OpenID? I'm thinking of
non-Systers-affiliated sites like Stack Overflow.

I've never seen a site that accepted OpenLDAP credentials, so I can't
comment on that, but OpenID is decently standard. Wordpress,
mediawiki, etc., all have plugins that convert the user registrations
system to open ID. You might need to hack the plugins a little to
restrict the list of providers to just Systers.

On Wed, May 27, 2009 at 3:19 PM, Jennifer Redman <jenred at gmail.com> wrote:
> Malveeka Tewari is our student leading the Systers GSoC authentication
> project.  One aspect of the project involves determining if we want to use
> LDAP or OpenID (or both) as authentication mechanisms.
> To provide a little bit of background, Mailman currently uses pickle files (
> http://docs.python.org/library/pickle.html) to store user data.  With our
> mailman extensions (particularly the dynamic sublist functionality - the
> ability to subscribe and unsubscribe from conversations), we use a mix of
> default pickle files and a PostgreSQL db to handle the dlist functionality.
>
> Our first step is going to be to extract all the user data from the pickle
> files into a SQL Member Adaptor to allow for storage in any sql db, and then
> use that data for either LDAP or OpenID authentication or maybe both.
>
> Malveeka came up with some great questions regarding LDAP and OpenID
> functionality, she sent them to me previously - but I think they are worthy
> of discussion amongst Systers' end-users.
>
> Here are her questions (I'm going to add that we are looking at Mediawiki as
> the first application against which we would like to authenticate):
>
> This site provides a comprehensive summary of how openID works:
>
> http://framework.zend.com/manual/en/zend.openid.html#zend.openid.introduction.how
>
> With OpenID, there are two important parties: the OpenID Provider and OpenID
> relying party.
> Relying party The site that wants to verify the end-user's identifier.
> Sometimes also called a "service provider".
> Server or server-agent The server that verifies the end-user's identifier.
> This may be the end-user's own server (such as their blog), or a server
> operated by an identity provider.
> As I understand we want to implement an OpenID server as we want our users
> to authenticate using mailman and acess other sites.
>
> I am not sure if we want to implement an OpenID relying party for Systers.
> Allowing OpenID relying on Systers might mean users can authenticate with
> other OpenID providers and access Systers site without having a systers
> account. Maybe we want to allow this feature for gaining visibility or may
> be this is not desired, I am not sure. (Also, we can implement added
> verification on Systers to make sure we allow access to only valid Systers
> members) I need your opinion on this.
>
> I will certainly want to implement LDAP enabled access but as I said I would
> personally want to begin with the OpenID implementation. However, there
> might be reasons to take up the openLDAP approach over OpenID. Here again, I
> need feedback from you . For deciding which approach is better, I think we
> need to understand
>
> What kind of users are we targetting?
> ( What users need to do extra in each implementation (LDAP and OpenID) for
> them to access other sites. For eg. in the OpenID implementation, they would
> need to create their openID identifier. OpenLDAP will not require much user
> intervention but will be more complex to implement )
>
> What kind of applications/sites do we wish to extend Systers authentication
> support to?
> ( One disadvantage of OpenID is that the applications we can access with the
> OPenID identifier need to be openID enabled as well. However, increasingly
> lot of applications/sites are becoming openID enabled.
> http://openid.net/where/ They say thereare nearly 10,000 sites that supposrt
> openID but these may not be the applications/sites we are actually
> interested in)
>
> Security concerns?
> (openID is less secure than openLDAP)
>
> ### End Malveeka's questions ###
>
>
> Does anyone feel particularly strongly about using OpenID vs LDAP?   My
> inclination is that you would need a Systers provided OpenID since we don't
> want to open up access to anyone with an OpenID.
>
> Thanks,
> Jen

More information about the Systers-dev mailing list