[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New nm.debian.org site is up!

On Wed, March 7, 2012 00:36, Enrico Zini wrote:
> On Tue, Mar 06, 2012 at 09:36:42PM +0100, Thijs Kinkhorst wrote:
>> On Tue, March 6, 2012 13:55, Enrico Zini wrote:
>> > You should be hearing more about this (and about what is a Debian web
>> > password) soon :)
>> Great. Can you tell us something more about that or can we read some
>> discussion somewhere? I'm interested since I've been doing a lot with
>> web
>> auth protocols so I'd like to see if my experiences align with the
>> plans.
> The idea is to get DACS to work:
> http://en.wikipedia.org/wiki/Distributed_Access_Control_System_(DACS)
> but we're talking experiments here and I'm not yet sure if/when it'll
> actually happen.
> The advantage of DACS is that the webapp behind it doesn't get to know
> the password one has entered,

That's of course not really an advantage of DACS but of any 'webSSO'-type
federated authentication system. :-) DACS surely sounds like a fit
candidate although I haven't actually installed it myself.

>From my view it seems like SAML 2.0 (a protocol, not a specific type of
software; called 'Shibboleth' by some) is going in the direction of being
the 'new standard' though, so that may be something to consider. Advantage
of a widely-used system is that plugins or methods may already exist for
your existing software, e.g. RT.

>> To many of us non-Americans the concept of a "middle" name may be
>> unknown:

> I agree 'middle name' is very culture specific, and even the distinction
> between first and last name tends to be: we spent some time making sure
> we deal correctly with Wookey, Intrigeri and Bertagaz, for example.
> However, that information is collected because we use it to feed
> Debian's LDAP database when the account is created, and the standards of
> LDAP schemas used in Debian and in pretty much any LDAP deployment
> mandate that distinction.

I'm not so sure about that. In the deployments I've seen there's usually
the givenName, sn (common name) pair, something with initials; and the cn
(common name, the full name or usual name someone goes by).

As we're Debian I've checked the core schema as shipped with Debian
openldap and this defines those attributes and as far as I can see doesn't
create a concept of "middle name".

I would find it reasonable for the Debian LDAP to only carry the cn as
this accomodates the possible uses Debian has for this data, it
accomodates people with one-word names and in my eyes yields just what you
want: a string representation of the common name someone goes by. If more
distinction of the last nameis required for some reason, givenName + sn
will allow that. In any case I don't yet see why there's a need to add a
middleName as a field.


Reply to: