Mailinglist Archive: opensuse-boosters (28 mails)
| < Previous | Next > |
Re: [opensuse-boosters] Topic for next meeting: OSUOSL
- From: Stephan Kulow <coolo@xxxxxxx>
- Date: Wed, 21 Sep 2011 13:56:21 +0200
- Message-id: <201109211356.22756.coolo@suse.de>
Am Mittwoch, 21. September 2011 schrieb Michal Hrusecky:
http://www.gitorious.org/opensuse/apache-mod_auth_memcookie
that has access to it - and all other hosts have no access to the password,
which is a very big adventage. I'm not argueing that openid doesn't have the
same advantage, but openid is a completely different beast and "getting rid
of ichain" doesn't translate to "use openid" to me.
and bugzilla basically.
login.opensuse.org aka ichain creditionals. login.opensuse.org can be the
openid provider itself too I guess, but having it in connect makes future
changes easier.
Greetings, Stephan
--
To unsubscribe, e-mail: opensuse-boosters+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-boosters+help@xxxxxxxxxxxx
Stephan Kulow - 10:53 21.09.11 wrote:No, it's apache doing basic auth and a proxy caching the session.
Am Mittwoch, 21. September 2011 schrieb Michal Hrusecky:
What is login.opensuse.org and how it works? Strange question, but is
it documented somewhere? And isn't it just another iChain instance?
AFAIK
No, it's our own implementation.
Ok, so it is our own implementation of something like iChain,
nonstandard and undocumented? Sounds great :-D
http://www.gitorious.org/opensuse/apache-mod_auth_memcookie
I'm talking about the novell account LDAP, yes. and login.oo is the only host
Connect is behind some proxy that provides authentication which is
impossible (or at least hard) to do on servers hosted out of our
internal network. So if we are going to move some services out of
Provo,
connect is behind login.opensuse.org, yes. And there is no reason why the
authenification can't stay behind login.opensuse.org if the real traffic
is then directly to the hoster.
We can then later switch from ldap auth to connect auth, but for now I
consider it a major regression if I need different accounts for different
openSUSE services.
Interesting point from this response is, the LDAP you are talking about,
I guess we don't have access to it, right? It would make things much
simpler.
that has access to it - and all other hosts have no access to the password,
which is a very big adventage. I'm not argueing that openid doesn't have the
same advantage, but openid is a completely different beast and "getting rid
of ichain" doesn't translate to "use openid" to me.
As I said: it's our own.
Do we have control over login.opensuse.org? One of the issues with
iChain is that whenever we need something, it has to go through Provo.Yes, but provo ichain we only use for stuff hosted in provo right now. Wiki
and bugzilla basically.
Yes, connect can be the openid provider, but it can still authenficate against
Other reason is that whenever we want to set up new website (if we want
to update bugzilla, mediawiki, if we decide that we want something else)
we need to create/maintain iChain authentication plugin while openID is
widely supported. With login.opensuse.org, just name would change from
iChain to login.opensuse.org. And if we will be setting up new
infrastructure, I think it would be a good opportunity to get rid of some
legacy technologies we have around. If we would get our hands on that
LDAP, we could just setup Connect to use it and provide openID fro
everybody else. So same
login/password, just different way...
login.opensuse.org aka ichain creditionals. login.opensuse.org can be the
openid provider itself too I guess, but having it in connect makes future
changes easier.
Greetings, Stephan
--
To unsubscribe, e-mail: opensuse-boosters+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-boosters+help@xxxxxxxxxxxx
| < Previous | Next > |