RFC: Detaching user name from email, LDAP and Single-Signon
Joel Peshkin
bugreport at peshkin.net
Fri Apr 9 13:05:44 UTC 2004
Gervase Markham wrote:
> Joel Peshkin wrote:
>
>> 1) Add a field to profiles containing a (varchar(128)) identifier.
>> This field should be added to the profile before any of the
>> authentication systems start to use it.
>
>
> So this field would be accessed by Auth modules and used as a
> correlator to relate Bugzilla accounts to accounts in Something Else?
> And it would be opaque to the rest of Bugzilla?
Correct.
> Is 128 enough?
>
It would often be an employee ID number (generally less than 16
chars), but I could imagine it being a GUID of some sort as well. Once
this is a varchar, there is no additional cost until we hit 255
characters, so 128 seems like a good round number. Beyond 255, it starts
making a problem with indexing.
>> 3) Single Signon
>> Most single signon systems have a way to pass variables to a CGI
>> containing the equivalent of fields from LDAP. The single signon
>> module would accept the variables from the webserver and handle them
>> in a similar manner to LDAP, using a durable identifier to locate the
>> profile and auto-updating the email address and realname if it
>> detects a change.
>
>
> We may want to provide convenience functions for Auth module owners to
> update profile information, so they all don't have to reimplement that
> code. Ideally, in fact, Auth module authors would not have to write
> Bugzilla database access code at all.
>
Agreed. The functions ( Bugzilla/Auth/Util ??) would need to ....
Given a subset of {identifier, email, realname}....
If identifier is defined and matches an existing profile record,
if email is defined,
update email in profile (throw an error if the email
matches a different record)
if realname is defined,
update realname in profile
return userid
If identifier is defined and does not match any existing profile record
if email is defined and matches an existing profile record,
update the profile's identifier
if realname is defined,
update realname in profile
if email is defined and does not match any existing profile
record,
insert a new profile (with a random or impossible cypted
password)
return userid
This would cover normal user login, cases where a user known to the auth
system first logs into bugzilla, and cases where a user is created in
bugzilla before the first time they ever log in themselves.
At least in my site, internal users and daemons could hit an alternate
URL and bypass the single-signon, so we would try the Auth/SSO first,
then fall back on standard DB auth. That means that the Auth modules
should also configure some variables like user->realname_from_auth,
user->email_from_auth, and user->external_auth. Editprefs would use
those to decide to supress the editing of realname and email and logout
and useful-links would use those to supress the logout link.
>> 4) Detaching user identifier from email
>> Once the system begins to maintain an identifier other than
>> Realname or Email, it becomes possible to build configuration options
>> to use that identifier in lieu of email addresses in presentation and
>> selection of users.
>
>
> Maybe I've misunderstood, but why would we ever want to display the
> string "o=Mozilla Foundation,cn=Asa Dotzler" instead of an email
> address or real name?
>
Beats me, but someone wrote bug 51188, and I believe that there have
been requests to use something else. I don't know of a scenario I like
either.
More information about the developers
mailing list