Re: [gnome.org #1964] Web Gnome LDAP access
- From: Ramon Navarro Bosch <ramon epsem upc edu>
- To: Owen Taylor <otaylor redhat com>
- Cc: gnome web <gnome-web-list gnome org>, support gnome org, gnome-infrastructure gnome org, Quim Gil <qgil desdeamericaconamor org>
- Subject: Re: [gnome.org #1964] Web Gnome LDAP access
- Date: Tue, 19 Dec 2006 19:49:29 +0100
www.gnome.org is going to be controlled by GNOME and on a
GNOME-controlled server.
As quim said I'm waiting to know more information about infraestructure
team about the servers available and how we will deploy this system.
Meanwhile we are using a dedicated server on Universitat Politècnica de
Catalunya that Free Software Chair gave to us.
The easiest option now is :
* Can infraestructure team make a copy of the LDAP and give read access
to corb.cpl.upc.edu ( 147.83.101.89 )?
One important thing is that we can force Plone to use a user to bind
LDAP instead of using the gnome username. Then it would be possible to
create some rules on sldapd configuration just to enable
password/name/email changes on user stuff throw Plone.
Ramon
En/na Owen Taylor ha escrit:
> On Mon, 2006-12-18 at 13:07 +0000, Ross Golder wrote:
>
>> Ramon Navarro Bosch wrote:
>>
>>> We have 3 options :
>>>
>>> 1) Not use LDAP, if WGO is only going to be used by 6 people I thing that
>>> is not necessary to complicate it ( only need access the editors in
>>> english all the translators will work throw actual methods).
>>>
>>> 2) Otherwise we can have ReadOnly access to LDAP.
>>>
>>> 3) The third option is ReadWrite access to LDAP. Then the people have the
>>> oportunity to change the password on LDAP throw plone and also map some
>>> attributes from LDAP to Plone member attributes and change them.
>>>
>>> In case 2 and 3 we need to create a group on LDAP just to map who is
>>> editor/reviewer/administrator.
>>>
>>> If we need LDAP, then , it's important that we know as soon as possible so
>>> know there are 4 local users ( editors ).
>>>
>>> Ramon
>>>
>>>
>> I think it would be a shame for us to end up with two lots of GNOME user
>> data (one in LDAP, one in Plone), so I don't think 1 is the best way to
>> go. IMHO, having to maintain two accounts for GNOME-related stuff will
>> end up confusing people.
>>
>> If the Plone server making requests is to be hosted outside of the remit
>> of the GNOME sysadmin team, as it is now, I'm not so sure I feel
>> comfortable with giving it that much access to our LDAP service or data.
>>
>> If the source code for this was checked into GNOME CVS (well,
>> subversion), hosted on a GNOME server, where only GNOME-approved hackers
>> were able to make changes to the site source and only GNOME-approved
>> sysadmins have access to the databases and web servers, I'd feel a lot
>> more comfortable about it all. Or am I just being too paranoid?
>>
>
> Without investigating the problem in detail:
>
> My feeling is that the Plone/Zope code must inherently not be able to
> modify security-critical content in the LDAP database; examples include:
>
> - Membership in the various groups that we use to control
> login access (gnomeweb/gnomecvs/wheel/etc.)
> - SSH keys
>
> Depending on the Plone code to do the necessary security checks is not
> sufficient, no matter where the instance and source code is hosted.
> This may be possible to achieve by appropriate access controls set
> up on the LDAP server: preferably with a "whitelist" of things that the
> Plone server is allowed to change rather than the reverse. If such a
> setup isn't possible, it's a bad idea to allow the Plone server write
> access to the LDAP database.
>
> In reference to:
>
> "If the Plone server making requests is to be hosted outside of the
> remit of the GNOME sysadmin team, as it is now"
>
> I hope we wouldn't even consdider hosting www.gnome.org on a
> non-GNOME-controlled server.
>
> Regards,
> Owen
>
>
>
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
