As a feature enhancement, we want to implement BrowserID to login to the MoCo phonebook. If we can avoid "fixing" our internal infrastructure before shipping this, that would be great. Of course bringing up to a safe standard so that we can deploy well tested changes is totally reasonable.
- Austin King (ozten) lead dev
- WPE? TBD
1) Add a new auth mechanism to the slapd server
2) Add config for this plugin that slapd understands (how to lookup authenticated users by email)
3) remove simple bind from /phonebook
4) add sasl_interactive_bind to /phonebook
No schema, data, or logic changes will be made to the phonebook codebase.
Only auth related bits of PHP code will change.
Instead of slapd doing auth with username/email and password... it will get a BrowserID assertion and audience from the PHP code. It will then delegate to the plugin which will verify the assertion with browserid.org. If everything goes well, slapd will see the user as authenticated. If there are any issues or the user doesn't exist in ldap, the user will see an auth error.
We will add the sasl-browserid plugin to our LDAP server.
We will tweak the php code removing basic auth and adding BrowserID.
IT Constraints and Assumptions
Our entire corp LDAP infrastructure is going through an overhaul this quarter, and this will tie in closely with that. As part of that, phonebook will move to the generic cluster in Phoenix. As part of that, it'll get a dev and stage environment, although that particular part will be sometime in q4, since it involves some additional planning to be done after the full LDAP overhaul.
LDAP is a central source of truth for many many systems at Mozilla, and phonebook is just a way to gain a small window into certain parts of that information. So any changes to the backend are very difficult to test and change, so this won't be a rapid change. Every part has to be thought through fully. Like will adding an attribute to the phonebook break e-mail list generation in zimbra? Will changing an attribute in phonebook change the way a user connects to wi-fi in an office? Etc.
Our production slapd server has a wack patch for ppolicy, which needs to be taken into consideration when doing this testing.
This work should happen after the Mozillians BrowserID implementation.
Note on Other Systems that Depend on LDAP
All other systems (bugzilla, hg, svn) which use LDAP for authentication should be unaffected by this new optional auth mechanism.