Re: DACS SSO config?

To: Neil Williams <codehelp@debian.org>
Cc: debian-services-admin@lists.debian.org
Subject: Re: DACS SSO config?
From: Enrico Zini <enrico@enricozini.org>
Date: Sun, 17 May 2015 11:32:28 +0200
Message-id: <[🔎] 20150517093228.GA31416@enricozini.org>
In-reply-to: <[🔎] 20150517091702.2ef75230@sylvester.codehelp>
References: <[🔎] 20150517091702.2ef75230@sylvester.codehelp>

On Sun, May 17, 2015 at 09:17:02AM +0100, Neil Williams wrote:

> https://lists.debian.org/debian-services-admin/2013/11/msg00000.html
> Is there any news on how to do this?

A year ago I sent these notes to debian-admin, with the intention of
documenting the SSO setup and hoping that they would end up somewhere,
but it seems that I am the only person working on SSO at all.

Here are the notes. Some of those points involve admin involvement, so
that's why I was hoping for them to document them. Anyway, admin
involvement can be invoked by opening RT tickets:

  initial notes on how to add a new site to sso.debian.org:

   1. Let debsso know about it, then deploy it:
      http://anonscm.debian.org/gitweb/?p=debian-sso/debian-sso.git;a=commitdiff;h=0b5bceae31f335d6d400a8d6be36939dd984468e

   2. Configure apache, see nono:/srv/contributors.debian.org/etc/apache.conf
      as a simple starting point.

   3. Configura dacs, see nono:/srv/contributors.debian.org/etc/dacs/
      as a simple starting point.

   4. Run the modified ./test-sso from the debsso sources to check if
      things look ok.

  More details may show up during the following days as Raphael tries to
  set up tracker.debian.org

No more details showed up at the time: I was kind of hoping that buxy
would document his side of the experience.

> I'd like to investigate using Debian SSO for a wsgi/django app.

That'd be at least known territory, since nm.debian.org and
contributors.debian.org at least are django apps deployed via wsgi and
using DACS.

> Is it easier / possible to use Debian LDAP for authentication directly
> instead? (The app already has LDAP support, would just need a bind &
> bind password).

No, that would not be possible, as it would give to those DDs who manage
the webapp access to the cleartext passwords of everyone logging into
the site.

My long term plan is to switch from DACS to oauth2; we already have an
(unmaintained) oauth2 provider set up to support the DebConf site, and
we're planning an oauth2 sprint at DebCamp/DebConf[1].

Depending on your planned time frames, you can deploy soon with DACS,
or if you intend to deploy after DebConf, you can show up at the oauth2
sprint and see where it goes.

[1] https://lists.debian.org/debian-devel/2015/03/msg00175.html

Enrico

-- 
GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- DACS SSO config?
  - From: Neil Williams <codehelp@debian.org>

Prev by Date: DACS SSO config?
Previous by thread: DACS SSO config?
Index(es):
- Date
- Thread