Confirmed users
1,136
edits
Identity/BrowserID/IntranetPhonebook: Difference between revisions
Jump to navigation
Jump to search
Identity/BrowserID/IntranetPhonebook (view source)
Revision as of 20:54, 19 September 2011
, 19 September 2011Adding feedback from Jabba
(→Project Management: Adding 687624) |
(Adding feedback from Jabba) |
||
| Line 1: | Line 1: | ||
Feature enhancement to the MoCo internal phonebook. | Feature enhancement to the MoCo internal phonebook. | ||
= IT Plans and Concerns = | |||
Our entire corp ldap infrastructure is going through an overhaul this quarter, and this will tie in closely with that. As part of that, phonebook will move to the generic cluster in Phoenix. As part of that, it'll get a dev and stage environment, although that particular part will be sometime in q4, since it involves some additional planning to be done after the full LDAP overhaul. | |||
LDAP is a central source of truth for many many systems at Mozilla, and phonebook is just a way to gain a small window into certain parts of that information. So any changes to the backend are very difficult to test and change, so this won't be a rapid change. Every part has to be thought through fully. Like will adding an attribute to the phonebook break e-mail list generation in zimbra? Will changing an attribute in phonebook change the way a user connects to wi-fi in an office? Etc. | |||
Our production slapd server has a wack patch for ppolicy, which needs to be taken into consideration when doing this testing. | |||
This work should happen after the Mozillians BrowserID implementation. | |||
= Scope = | = Scope = | ||
We want to use BrowserID to login to the MoCo phonebook. | We want to use BrowserID to login to the MoCo phonebook. | ||
1) Add a new auth mechanism to the slapd server | |||
2) Add config for this plugin that slapd understands (how to lookup authenticated users by email) | |||
3) remove simple bind from /phonebook | |||
4) add sasl_interactive_bind to /phonebook | |||
No schema, data, or logic changes will be made to the phonebook codebase. | |||
Only auth related bits of PHP code will change. | |||
Instead of slapd doing auth with username/email and password... it will get a BrowserID assertion and audience from the PHP code. It will then delegate to the plugin which will verify the assertion with browserid.org. If everything goes well, slapd will see the user as authenticated. If there are any issues or the user doesn't exist in ldap, the user will see an auth error. | |||
Note: | |||
All other systems (bugzilla, hg, svn) which use LDAP for authentication should be unaffected by this new optional auth mechanism. | |||
= Changes = | = Changes = | ||