From Mageia wiki
Jump to: navigation, search

Identity web app is the personal user account panel. The place to register/update/delete your Mageia online user account.

Description

CatDap is a combination of system-administrator and end-user web interface, designed to handle LDAP based setups. It fetches the schema to handle any kind of case, but is made to work with groups to give various access.

Design Considerations

  • Enforce access on the LDAP side by ACLs
  • Operate as the logged-in user whenever possible
  • CatDap LDAP user should use least privileges required to register new users and log existing users in, to avoid compromise of web server leading to compromise of user accounts.

Status

In development.

Code

Web view here: https://gitweb.mageia.org/web/identity/

Anonymous checkout: 

$ git clone git://git.mageia.org/web/identity

There are two branches for now:

  • topic/production - https://identity.mageia.org/ syncs from there
  • master - where most integration happens before being (ported to topic/production | branched into topic/production)?

Please submit patches to sysadmin team

Relies on [1].

Who is in charge?

  • app manager: Buchan
  • contributors: obgr_seneca (css/html), alien (code)

Issues

On Mageia bugzilla:


Below issues are either to be considered closed/invalid or to be migrated to our bugzilla

  • Authentication:
    • FIXED(alien) Bug: after authentication, go to https://identity.mageia.org/ : although you are logged in, you're shown the login form (and the active menu above); it should redirect to https://identity.mageia.org/user
    • BLOCKING Bug: after authentication, you are directly shown https://identity.mageia.org/user : hence, reloading the page will re-POST the auth form; it should redirect the user to https://identity.mageia.org/user through a GET request, after a successfull authentication (alien: this is part of a larger problem; all POSTs don't seem to accept the redirection. This issue should also be on almost any modification )
    • Bug? not sure. once authenticated, it "looks like" I can change gidNumber, homeDirectory, loginShell, uidNumber (although I can't change uid). Not sure if that's a specific privilege I have or if it should be available there? (misc: that's specific privilege, try to remove yourself from ldap admin account ). Not a bug. Access control is done on LDAP side. There is no way for CatDap to evaluate LDAP ACLs, so which attributes users are shown to be able modify on their own account are configured in catdap_local.yml Controller:User->editable_attrs
    • BLOCKING Bug: authenticated user without any role cannot modify his/her own settings (except password). Buchan: Provide more detail, does CatDap not show any editable attributes, or does LDAP modification fail (IOW, is it CatDap editable_attrs configuration, or LDAP ACLs).
  • Registration:
    • BLOCKING Bug: if ldap add fails, a email is still sent saying that it was registered
    • BLOCKING Bug: lastnames with spaces in it seems not to be allowed
  • Other:
    • Bug? not sure if searching groups when being Account Admin should be POST?
    • Bug: after deleting user from ldap; you cannot register that username or email; because the proxy holds the info. catdap needs to be restarted for that to work. Buchan: What proxy? Was this tested via apache or cat ./scripts/catdap_server.pl ?
  • BLOCKING Need: Style/CSS/flow review
    • Bug: there are 2 empty lines before the document and that conflicts with the xml specification. Buchan: Specification is crap, how are you supposed keep
    • OLD? Bug? is it necessary to have l MACRO in all .tt pages when it's in the templates/pre ?
    • FIXED(alien) Bug: registering with existing username gives 2 times the error message
    • FIXED(alien) Bug? register form is below the info links
  • BLOCKING Need: user-triggered password reset process
    • (alien) preliminary work - committed in trunk (r249)
    • Buchan: Please discuss design of this, and explain what steps are taken to ensure that compromise of a core contributor's email account will not leave the possibility of compromising the entire distribution.
    • FIXED(alien) Bug: if you're logged in, you shouldn't use this process
  • IPv6:
    • Bug? Catalyst has no IPv6 support at all; so it might be better to use some kind of cgi and let apache handle the IPv6 (together with caching)
    • Buchan: Totally irrelevant, Catalyst is not intended to be run as the server, either apache or fcgid should actually handle the connections. The built-in server is only intended for development.
    • FIXED Bug: ldap connections on IPv6 don't work in catdap; also due to the Catalyst LDAP Model...
    • FIXED(alien) Bug: key is 3 first bytes from IPv4 address
  • BLOCKING Should: send email somwhere when a account is created. Buchan: Who decided that it *must* be email? Also, does it *have* to be CatDap? IMHO, this belongs on the LDAP side (and I have some code that could be useful for this), since CatDap isn't necessarily the *only* way to make changes on LDAP.
  • BLOCKING Should: send email somwhere when a password is forgotten
  • Buchan: ^^ See comments above about design.
  • Should: handle checking a disabled attribute (and add it when registering) ???
  • Should: not let user use any kind of binary for shell ( security risk ) ??? Buchan: Irrelevant, on servers that should not allow shells, shell is overridden in nss_ldap. Why are we designing out the option of having build hosts contributors can log in to? This issue is the reason why I had not worked on this yet. At present, the live ACLs on LDAP do not allow the CatDap user to write to userPassword on posixAccount users to prevent this. IMHO, posixAccount user password resets should required admin intervention, and/or
  • Should: add user by default in mga-users when promoted.
  • Should: not present default group in the potential usable group
  • Should: present a list of language ( if possible ). Buchan: Language is taken from browser settings for now, unless there are other applications using this language, it is a low priority issue.
  • Should: not present all possible group in ldap ( ie, either blacklist group that user should not be part of, or remove them ). Buchan: Prefer removal of unused groups.
  • FIXED(alien) Should: make it clear for packagers that the name added in "User Name" is the one that'll be used in SVN-related stuff (commits, submits... etc). Buchan: It is the "username", what else would one use it for??????????????
  • Should: provide a footer link/info to explain who built this app, where to return feedback, get doc, etc. (reported by xrogaan)
  • it looks like one cannot set attributes (Phone, Initials, etc.) (reported by xrogaan). Buchan: Where? Initial registration (which is not supposed to offer this), or after logging in?
  • Should: display correctly accentuated chars (reported by xrogaan). Buchan: Developer lives in a country where characters are almost never accentuated ... feel free to supply example patch.

How to install

FIXED(alien): (to be put into a INSTALL/README file)

  • make sure you have Perl Catalyst framework setup on your system
  • FIXED Bug perl-Catalyst-Plugin-Unicode-Encoding is not available on mdv 2010.1 (should be backported)
  • make sure you have a working sendmail-command (postfix) on your system

App states and flow

To be done (rda)

Retrieved from "https://wiki.mageia.org/mw-en/index.php?title=Web_Identity&oldid=61472"