Re: [gnome.org #1964] Web Gnome LDAP access

From: Owen Taylor <otaylor redhat com>
To: Ross Golder <ross golder org>
Cc: Quim Gil <qgil desdeamericaconamor org>, support gnome org, gnome web <gnome-web-list gnome org>, gnome-infrastructure gnome org
Subject: Re: [gnome.org #1964] Web Gnome LDAP access
Date: Mon, 18 Dec 2006 10:38:54 -0500

On Mon, 2006-12-18 at 13:07 +0000, Ross Golder wrote:
> Ramon Navarro Bosch wrote:
> > 
> > We have 3 options :
> > 
> > 1) Not use LDAP, if WGO is only going to be used by 6 people I thing that
> > is not necessary to complicate it ( only need access the editors in
> > english all the translators will work throw actual methods).
> > 
> > 2) Otherwise we can have ReadOnly access to LDAP.
> > 
> > 3) The third option is ReadWrite access to LDAP. Then the people have the
> > oportunity to change the password on LDAP throw plone and also map some
> > attributes from LDAP to Plone member attributes and change them.
> > 
> > In case 2 and 3 we need to create a group on LDAP just to map who is
> > editor/reviewer/administrator.
> > 
> > If we need LDAP, then , it's important that we know as soon as possible so
> > know there are 4 local users ( editors ).
> > 
> > Ramon
> > 
> 
> I think it would be a shame for us to end up with two lots of GNOME user
> data (one in LDAP, one in Plone), so I don't think 1 is the best way to
> go. IMHO, having to maintain two accounts for GNOME-related stuff will
> end up confusing people.
> 
> If the Plone server making requests is to be hosted outside of the remit
> of the GNOME sysadmin team, as it is now, I'm not so sure I feel
> comfortable with giving it that much access to our LDAP service or data.
> 
> If the source code for this was checked into GNOME CVS (well,
> subversion), hosted on a GNOME server, where only GNOME-approved hackers
> were able to make changes to the site source and only GNOME-approved
> sysadmins have access to the databases and web servers, I'd feel a lot
> more comfortable about it all. Or am I just being too paranoid?

Without investigating the problem in detail:

My feeling is that the Plone/Zope code must inherently not be able to
modify security-critical content in the LDAP database; examples include:

 - Membership in the various groups that we use to control 
   login access (gnomeweb/gnomecvs/wheel/etc.)
 - SSH keys

Depending on the Plone code to do the necessary security checks is not
sufficient, no matter where the instance and source code is hosted.
This may be possible to achieve by appropriate access controls set
up on the LDAP server: preferably with a "whitelist" of things that the
Plone server is allowed to change rather than the reverse. If such a
setup isn't possible, it's a bad idea to allow the Plone server write
access to the LDAP database.

In reference to:

 "If the Plone server making requests is to be hosted outside of the  
  remit of the GNOME sysadmin team, as it is now"

I hope we wouldn't even consdider hosting www.gnome.org on a
non-GNOME-controlled server.

Regards,
						Owen

Follow-Ups:
- Re: [gnome.org #1964] Web Gnome LDAP access
  - From: Quim Gil
- Re: [gnome.org #1964] Web Gnome LDAP access
  - From: Ramon Navarro Bosch

References:
- Re: [gnome.org #1964] Web Gnome LDAP access
  - From: Ross Golder

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]