Menu
▾
▴
bodington-developers
|
From: Peter C. <Pet...@me...> - 2005-06-06 11:21:53
|
> From: Matthew Buckett=20 > > Do we have anywhere I can put a brain-dump of how it all=20 > > fits together [...] > JavaDoc somewhere? package.html? Probably. Some of this is cross-package (mainly the code in BuildingSessionImpl - along with Facility, another prime candidate for refactoring), but I can probably get the relationships right. - Peter |
|
From: Andrew B. <a.g...@le...> - 2005-06-06 11:51:19
|
Just to keep you up to date, we now have two bodingtons communicating = IdP to SP and we have automatic account creation working at the SP end. It shouldn't take too long to get the groups sorted as well. At the Bodington behind the SP, we have mapped /site and /shibsite to = the same bodington servlet. The Shibboleth servlet filter is set to protect = the /shibsite URLs but not the /site ones, so the same resources can be shib-protected or not depending on the URL used.=20 One thing that we need to point out is that usernames created in the SP-protected bodington are of the form use...@my... - = we therefore need to increase the size of the username field in the = database, which is currently 30 characters wide. We propose to increase it to 128 characters. (The same had to be done with mvnForum to cope with = usernames of this kind.) Do either of these changes (servlet mapping and field width) break = anything anyone else is doing? Aggie and Atif |
|
From: Matthew B. <mat...@co...> - 2005-06-06 12:38:48
|
Andrew Booth wrote: > Just to keep you up to date, we now have two bodingtons communicating IdP to > SP and we have automatic account creation working at the SP end. It > shouldn't take too long to get the groups sorted as well. Cool. Sounds very nice. > At the Bodington behind the SP, we have mapped /site and /shibsite to the > same bodington servlet. The Shibboleth servlet filter is set to protect the > /shibsite URLs but not the /site ones, so the same resources can be > shib-protected or not depending on the URL used. Would it be preferable to use one URL for all access to Bodington from a user support point of view? > One thing that we need to point out is that usernames created in the > SP-protected bodington are of the form use...@my... - we > therefore need to increase the size of the username field in the database, > which is currently 30 characters wide. We propose to increase it to 128 > characters. (The same had to be done with mvnForum to cope with usernames of > this kind.) What happens if the visitor doesn't give out username information? So are you putting these users into the pass_phrase table? > Do either of these changes (servlet mapping and field width) break anything > anyone else is doing? Doesn't sound like it will (famous last words). -- +--Matthew Buckett-----------------------------------------+ | VLE Developer, Learning Technologies Group | | Tel: +44 (0) 1865 283660 http://www.oucs.ox.ac.uk/ | +------------Computing Services, University of Oxford------+ |
|
From: Andrew B. <a.g...@le...> - 2005-06-06 14:22:37
|
>> At the Bodington behind the SP, we have mapped /site and /shibsite to = the >> same bodington servlet. The Shibboleth servlet filter is set to = protect the >> /shibsite URLs but not the /site ones, so the same resources can be >>shib-protected or not depending on the URL used.=20 >Would it be preferable to use one URL for all access to Bodington from = a=20 >user support point of view? Maybe, but we have to allow non-shib operation of Bodington so that the = Shib filter doesn't kick in during normal operation. Using the /site URL as normal provides this.=20 >> One thing that we need to point out is that usernames created in the >> SP-protected bodington are of the form use...@my... = - we >> therefore need to increase the size of the username field in the database, >> which is currently 30 characters wide. We propose to increase it to = 128 >> characters. (The same had to be done with mvnForum to cope with = usernames of >> this kind.) >What happens if the visitor doesn't give out username information? >So are you putting these users into the pass_phrase table? If the visitor's IdP doesn't release the eduPersonPrincipalName = attribute, the visitor doesn't get in. Yes - the users get put into the = pass_phrase table with a null or dummy passphrase. If necessary, we could prevent = them from logging in except via Shib. Aggie |
|
From: Matthew B. <mat...@co...> - 2005-06-06 14:35:09
|
Andrew Booth wrote: > >>>At the Bodington behind the SP, we have mapped /site and /shibsite to the >>>same bodington servlet. The Shibboleth servlet filter is set to protect > > the > >>>/shibsite URLs but not the /site ones, so the same resources can be >>>shib-protected or not depending on the URL used. > > >>Would it be preferable to use one URL for all access to Bodington from a >>user support point of view? > > > Maybe, but we have to allow non-shib operation of Bodington so that the Shib > filter doesn't kick in during normal operation. Using the /site URL as > normal provides this. Just one of the issues that came up when we were doing the WebAuth integration here at oxford was that having two URLs depending on which authentication method was going to be used would cause problems for users. It means you can't give out a definite URL in your lectures because it depends on who your audience are. >>What happens if the visitor doesn't give out username information? >>So are you putting these users into the pass_phrase table? > > > If the visitor's IdP doesn't release the eduPersonPrincipalName attribute, > the visitor doesn't get in. Yes - the users get put into the pass_phrase > table with a null or dummy passphrase. If necessary, we could prevent them > from logging in except via Shib. Would having a shibb_user table be a simpler/cleaner way to get this to work? Then users could have a shibb login and a bodington login associated with the same user. It would also mean that then existing installs wouldn't have to alter tables. Also it makes it easy to tell which users are shibb ones and which are internal bod ones. -- +--Matthew Buckett-----------------------------------------+ | VLE Developer, Learning Technologies Group | | Tel: +44 (0) 1865 283660 http://www.oucs.ox.ac.uk/ | +------------Computing Services, University of Oxford------+ |
|
From: Andrew B. <a.g...@le...> - 2005-06-06 15:15:31
|
>>Just one of the issues that came up when we were doing the WebAuth=20 >>integration here at oxford was that having two URLs depending on which = >>authentication method was going to be used would cause problems for = users. >It means you can't give out a definite URL in your lectures because it=20 >depends on who your audience are. The definite URL is the same as it always was. Only those students = coming in via Shibboleth, to a restricted set of URLs will need the alternative = URL. Presumably, they know who they are. In most cases, they won't need to = know about the dual URLs, as they will simply click on a link in their 'home' Bodington, which then takes them via Shib to the resources revealed in = the 'target' Bodington. If these students try the /shibsite URL, they will = get in. If they try the /site URL, they will be challenged for a username = and password at the target. =20 >> If the visitor's IdP doesn't release the eduPersonPrincipalName attribute, >> the visitor doesn't get in. Yes - the users get put into the = pass_phrase >> table with a null or dummy passphrase. If necessary, we could prevent them >> from logging in except via Shib. >Would having a shibb_user table be a simpler/cleaner way to get this to = >work? The problem there is that the pass_phrase table is a very important one. = It is used for much more than just password authentication. If we move to a shib_user table, there's a lot of code that will get duplicated and/or changed. I'm inclined to put the shib users in with the other users and = live with the schema change. Aggie |
|
From: Matthew B. <mat...@co...> - 2005-06-06 15:32:00
|
Andrew Booth wrote: [..snipped..] >>>If the visitor's IdP doesn't release the eduPersonPrincipalName > > attribute, > >>>the visitor doesn't get in. Yes - the users get put into the pass_phrase >>>table with a null or dummy passphrase. If necessary, we could prevent > > them > >>>from logging in except via Shib. > > >>Would having a shibb_user table be a simpler/cleaner way to get this to >>work? > > > The problem there is that the pass_phrase table is a very important one. It > is used for much more than just password authentication. If we move to a > shib_user table, there's a lot of code that will get duplicated and/or > changed. I'm inclined to put the shib users in with the other users and live > with the schema change. Ok. Looking at the call hierarchy for PassPhrase.getUserName() it seems to be reasonable confined to the user management stuff: > getUserName() - org.bodington.server.realm.PassPhrase > resetusername(UserManagementSession, Request, PrintWriter) - org.bodington.servlet.facilities.UserDirectoryFacility (2 matches) > userdata(Request, PrintWriter, String) - org.bodington.servlet.facilities.UserDirectoryFacility > getUsername(Request) - org.bodington.servlet.facilities.Facility (2 matches) > listusers(Request, PrintWriter, boolean) - org.bodington.servlet.facilities.Facility (4 matches) > outputAclTable(PrintWriter, Request) - org.bodington.servlet.facilities.AclDisplayFacility > createUsers(BufferedReader, PrintWriter) - org.bodington.server.realm.UserManagementSessionImpl > resetUserName(PrimaryKey) - org.bodington.server.realm.UserManagementSessionImpl > userdata(Request, PrintWriter, String) - org.bodington.servlet.facilities.PasswordFacility > denyAccess(URL) - org.bodington.servlet.facilities.FeedFacility (2 matches) > chooseUserName(Zone, User, Vector) - org.bodington.server.realm.UserManagementSessionImpl Before I dig around in the code does anyone know how X509User works? Does a certificate based user have an entry in the pass_phrase table aswell? -- +--Matthew Buckett-----------------------------------------+ | VLE Developer, Learning Technologies Group | | Tel: +44 (0) 1865 283660 http://www.oucs.ox.ac.uk/ | +------------Computing Services, University of Oxford------+ |
|
From: Adam M. <ada...@co...> - 2005-06-15 14:49:33
|
Will this go into 2.6? If so I'd suggest that it is added to head AFTER Aleixis's's's' WebAuth / SSO modific's as there will be the same issues with 'change password' links and text about 'logout' which he has now predicated. adam -- Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. Shameless plug: Use the Bodington VLE http://bodington.org Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/ Cheese of the month: Cheshire (not to be underestimated) | -----Original Message----- | From: bod...@li... [mailto:bodington- | dev...@li...] On Behalf Of Andrew Booth | Sent: 06 June 2005 12:51 | To: bod...@li... | Cc: Andrew Booth | Subject: [Bodington-developers] Bodington with SP and IdP | | Just to keep you up to date, we now have two bodingtons communicating IdP | to | SP and we have automatic account creation working at the SP end. It | shouldn't take too long to get the groups sorted as well. | | At the Bodington behind the SP, we have mapped /site and /shibsite to the | same bodington servlet. The Shibboleth servlet filter is set to protect | the | /shibsite URLs but not the /site ones, so the same resources can be | shib-protected or not depending on the URL used. | | One thing that we need to point out is that usernames created in the | SP-protected bodington are of the form use...@my... - we | therefore need to increase the size of the username field in the database, | which is currently 30 characters wide. We propose to increase it to 128 | characters. (The same had to be done with mvnForum to cope with usernames | of | this kind.) | | Do either of these changes (servlet mapping and field width) break | anything | anyone else is doing? | | Aggie and Atif | | | | | | ------------------------------------------------------- | This SF.Net email is sponsored by: NEC IT Guy Games. How far can you | shotput | a projector? How fast can you ride your desk chair down the office luge | track? | If you want to score the big prize, get to know the little guy. | Play to win an NEC 61" plasma display: http://www.necitguy.com/?r | _______________________________________________ | Bodington-developers mailing list | Bod...@li... | https://lists.sourceforge.net/lists/listinfo/bodington-developers |
|
From: Alistair Y. <ali...@sm...> - 2005-06-15 14:54:32
|
IdP and SSO don't affect bodington so they can go into head any time. Alistair On 15 Jun 2005, at 15:49, Adam Marshall wrote: > Will this go into 2.6? If so I'd suggest that it is added to head > AFTER > Aleixis's's's' WebAuth / SSO modific's as there will be the same > issues with > 'change password' links and text about 'logout' which he has now > predicated. > > adam > > -- > Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. > Shameless plug: Use the Bodington VLE http://bodington.org > Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/ > Cheese of the month: Cheshire (not to be underestimated) > > | -----Original Message----- > | From: bod...@li... > [mailto:bodington- > | dev...@li...] On Behalf Of Andrew Booth > | Sent: 06 June 2005 12:51 > | To: bod...@li... > | Cc: Andrew Booth > | Subject: [Bodington-developers] Bodington with SP and IdP > | > | Just to keep you up to date, we now have two bodingtons > communicating IdP > | to > | SP and we have automatic account creation working at the SP end. It > | shouldn't take too long to get the groups sorted as well. > | > | At the Bodington behind the SP, we have mapped /site and / > shibsite to the > | same bodington servlet. The Shibboleth servlet filter is set to > protect > | the > | /shibsite URLs but not the /site ones, so the same resources can be > | shib-protected or not depending on the URL used. > | > | One thing that we need to point out is that usernames created in the > | SP-protected bodington are of the form > use...@my... - we > | therefore need to increase the size of the username field in the > database, > | which is currently 30 characters wide. We propose to increase it > to 128 > | characters. (The same had to be done with mvnForum to cope with > usernames > | of > | this kind.) > | > | Do either of these changes (servlet mapping and field width) break > | anything > | anyone else is doing? > | > | Aggie and Atif > | > | > | > | > | > | ------------------------------------------------------- > | This SF.Net email is sponsored by: NEC IT Guy Games. How far can > you > | shotput > | a projector? How fast can you ride your desk chair down the > office luge > | track? > | If you want to score the big prize, get to know the little guy. > | Play to win an NEC 61" plasma display: http://www.necitguy.com/?r > | _______________________________________________ > | Bodington-developers mailing list > | Bod...@li... > | https://lists.sourceforge.net/lists/listinfo/bodington-developers > > > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers > |
|
From: Adam M. <ada...@co...> - 2005-06-15 15:17:43
|
When using shibb one doesn't want a 'change password' link that takes the user to bodington's internal change password page. Quite where such a link should take the user is another matter. I guess that means there should be any 'change password' links in bod at all if using some form of SSO. adam -- Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. Shameless plug: Use the Bodington VLE http://bodington.org Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/ Cheese of the month: Cheshire (not to be underestimated) | -----Original Message----- | From: bod...@li... [mailto:bodington- | dev...@li...] On Behalf Of Alistair Young | Sent: 15 June 2005 15:54 | To: bod...@li... | Subject: Re: [Bodington-developers] Bodington with SP and IdP - SSO and | v2.6 | | IdP and SSO don't affect bodington so they can go into head any time. | | Alistair | | | On 15 Jun 2005, at 15:49, Adam Marshall wrote: | | > Will this go into 2.6? If so I'd suggest that it is added to head | > AFTER | > Aleixis's's's' WebAuth / SSO modific's as there will be the same | > issues with | > 'change password' links and text about 'logout' which he has now | > predicated. | > | > adam | > | > -- | > Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. | > Shameless plug: Use the Bodington VLE http://bodington.org | > Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/ | > Cheese of the month: Cheshire (not to be underestimated) | > | > | -----Original Message----- | > | From: bod...@li... | > [mailto:bodington- | > | dev...@li...] On Behalf Of Andrew Booth | > | Sent: 06 June 2005 12:51 | > | To: bod...@li... | > | Cc: Andrew Booth | > | Subject: [Bodington-developers] Bodington with SP and IdP | > | | > | Just to keep you up to date, we now have two bodingtons | > communicating IdP | > | to | > | SP and we have automatic account creation working at the SP end. It | > | shouldn't take too long to get the groups sorted as well. | > | | > | At the Bodington behind the SP, we have mapped /site and / | > shibsite to the | > | same bodington servlet. The Shibboleth servlet filter is set to | > protect | > | the | > | /shibsite URLs but not the /site ones, so the same resources can be | > | shib-protected or not depending on the URL used. | > | | > | One thing that we need to point out is that usernames created in the | > | SP-protected bodington are of the form | > use...@my... - we | > | therefore need to increase the size of the username field in the | > database, | > | which is currently 30 characters wide. We propose to increase it | > to 128 | > | characters. (The same had to be done with mvnForum to cope with | > usernames | > | of | > | this kind.) | > | | > | Do either of these changes (servlet mapping and field width) break | > | anything | > | anyone else is doing? | > | | > | Aggie and Atif | > | | > | | > | | > | | > | | > | ------------------------------------------------------- | > | This SF.Net email is sponsored by: NEC IT Guy Games. How far can | > you | > | shotput | > | a projector? How fast can you ride your desk chair down the | > office luge | > | track? | > | If you want to score the big prize, get to know the little guy. | > | Play to win an NEC 61" plasma display: http://www.necitguy.com/?r | > | _______________________________________________ | > | Bodington-developers mailing list | > | Bod...@li... | > | https://lists.sourceforge.net/lists/listinfo/bodington-developers | > | > | > | > | > ------------------------------------------------------- | > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies | > from IBM. Find simple to follow Roadmaps, straightforward articles, | > informative Webcasts and more! Get everything you need to get up to | > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click | > _______________________________________________ | > Bodington-developers mailing list | > Bod...@li... | > https://lists.sourceforge.net/lists/listinfo/bodington-developers | > | | | | ------------------------------------------------------- | SF.Net email is sponsored by: Discover Easy Linux Migration Strategies | from IBM. Find simple to follow Roadmaps, straightforward articles, | informative Webcasts and more! Get everything you need to get up to | speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click | _______________________________________________ | Bodington-developers mailing list | Bod...@li... | https://lists.sourceforge.net/lists/listinfo/bodington-developers |
|
From: Alistair Y. <ali...@sm...> - 2005-06-15 15:29:30
|
If you're using ldap or webauth you can't change the password in bod. The IdP and SSO have no effect on bod at all - the change password option is a problem for the bodington authenticator. Is there a way to override the end point that the change password link points to? perhaps add Authenticator.changePasswordURL or something? that way, when an authenticator other than the standard one is installed, it will change what "change password" points to. In most cases it should just point to the URL of the helpdesk! Alistair On 15 Jun 2005, at 16:17, Adam Marshall wrote: > When using shibb one doesn't want a 'change password' link that > takes the > user to bodington's internal change password page. Quite where such > a link > should take the user is another matter. I guess that means there > should be > any 'change password' links in bod at all if using some form of SSO. > > adam > > -- > Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. > Shameless plug: Use the Bodington VLE http://bodington.org > Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/ > Cheese of the month: Cheshire (not to be underestimated) > > | -----Original Message----- > | From: bod...@li... > [mailto:bodington- > | dev...@li...] On Behalf Of Alistair Young > | Sent: 15 June 2005 15:54 > | To: bod...@li... > | Subject: Re: [Bodington-developers] Bodington with SP and IdP - > SSO and > | v2.6 > | > | IdP and SSO don't affect bodington so they can go into head any > time. > | > | Alistair > | > | > | On 15 Jun 2005, at 15:49, Adam Marshall wrote: > | > | > Will this go into 2.6? If so I'd suggest that it is added to head > | > AFTER > | > Aleixis's's's' WebAuth / SSO modific's as there will be the same > | > issues with > | > 'change password' links and text about 'logout' which he has now > | > predicated. > | > > | > adam > | > > | > -- > | > Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. > | > Shameless plug: Use the Bodington VLE http://bodington.org > | > Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/ > | > Cheese of the month: Cheshire (not to be underestimated) > | > > | > | -----Original Message----- > | > | From: bod...@li... > | > [mailto:bodington- > | > | dev...@li...] On Behalf Of Andrew > Booth > | > | Sent: 06 June 2005 12:51 > | > | To: bod...@li... > | > | Cc: Andrew Booth > | > | Subject: [Bodington-developers] Bodington with SP and IdP > | > | > | > | Just to keep you up to date, we now have two bodingtons > | > communicating IdP > | > | to > | > | SP and we have automatic account creation working at the SP > end. It > | > | shouldn't take too long to get the groups sorted as well. > | > | > | > | At the Bodington behind the SP, we have mapped /site and / > | > shibsite to the > | > | same bodington servlet. The Shibboleth servlet filter is set to > | > protect > | > | the > | > | /shibsite URLs but not the /site ones, so the same resources > can be > | > | shib-protected or not depending on the URL used. > | > | > | > | One thing that we need to point out is that usernames created > in the > | > | SP-protected bodington are of the form > | > use...@my... - we > | > | therefore need to increase the size of the username field in the > | > database, > | > | which is currently 30 characters wide. We propose to increase it > | > to 128 > | > | characters. (The same had to be done with mvnForum to cope with > | > usernames > | > | of > | > | this kind.) > | > | > | > | Do either of these changes (servlet mapping and field width) > break > | > | anything > | > | anyone else is doing? > | > | > | > | Aggie and Atif > | > | > | > | > | > | > | > | > | > | > | > | ------------------------------------------------------- > | > | This SF.Net email is sponsored by: NEC IT Guy Games. How far > can > | > you > | > | shotput > | > | a projector? How fast can you ride your desk chair down the > | > office luge > | > | track? > | > | If you want to score the big prize, get to know the little guy. > | > | Play to win an NEC 61" plasma display: http:// > www.necitguy.com/?r > | > | _______________________________________________ > | > | Bodington-developers mailing list > | > | Bod...@li... > | > | https://lists.sourceforge.net/lists/listinfo/bodington- > developers > | > > | > > | > > | > > | > ------------------------------------------------------- > | > SF.Net email is sponsored by: Discover Easy Linux Migration > Strategies > | > from IBM. Find simple to follow Roadmaps, straightforward > articles, > | > informative Webcasts and more! Get everything you need to get > up to > | > speed, fast. http://ads.osdn.com/? > ad_id=7477&alloc_id=16492&op=click > | > _______________________________________________ > | > Bodington-developers mailing list > | > Bod...@li... > | > https://lists.sourceforge.net/lists/listinfo/bodington-developers > | > > | > | > | > | ------------------------------------------------------- > | SF.Net email is sponsored by: Discover Easy Linux Migration > Strategies > | from IBM. Find simple to follow Roadmaps, straightforward articles, > | informative Webcasts and more! Get everything you need to get up to > | speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > | _______________________________________________ > | Bodington-developers mailing list > | Bod...@li... > | https://lists.sourceforge.net/lists/listinfo/bodington-developers > > > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers > |
|
From: Sean M. <se...@sm...> - 2005-06-15 15:48:55
|
yesss..... perhaps i'm thick (shut yer gob, alistair) but I don't understand the motivation in this one. Is this a tool to change your password once you have authenticated to bod already? And therefore it changes in the external store? is that a good thing? s <quote who=3D"Alistair Young"> > If you're using ldap or webauth you can't change the password in bod. > The IdP and SSO have no effect on bod at all - the change password > option is a problem for the bodington authenticator. > > Is there a way to override the end point that the change password > link points to? perhaps add Authenticator.changePasswordURL or > something? > > that way, when an authenticator other than the standard one is > installed, it will change what "change password" points to. In most > cases it should just point to the URL of the helpdesk! > > Alistair > > On 15 Jun 2005, at 16:17, Adam Marshall wrote: > >> When using shibb one doesn't want a 'change password' link that >> takes the >> user to bodington's internal change password page. Quite where such >> a link >> should take the user is another matter. I guess that means there >> should be >> any 'change password' links in bod at all if using some form of SSO. >> >> adam >> >> -- >> Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. >> Shameless plug: Use the Bodington VLE http://bodington.org >> Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/ >> Cheese of the month: Cheshire (not to be underestimated) >> >> | -----Original Message----- >> | From: bod...@li... >> [mailto:bodington- >> | dev...@li...] On Behalf Of Alistair Young >> | Sent: 15 June 2005 15:54 >> | To: bod...@li... >> | Subject: Re: [Bodington-developers] Bodington with SP and IdP - >> SSO and >> | v2.6 >> | >> | IdP and SSO don't affect bodington so they can go into head any >> time. >> | >> | Alistair >> | >> | >> | On 15 Jun 2005, at 15:49, Adam Marshall wrote: >> | >> | > Will this go into 2.6? If so I'd suggest that it is added to head >> | > AFTER >> | > Aleixis's's's' WebAuth / SSO modific's as there will be the same >> | > issues with >> | > 'change password' links and text about 'logout' which he has now >> | > predicated. >> | > >> | > adam >> | > >> | > -- >> | > Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. >> | > Shameless plug: Use the Bodington VLE http://bodington.org >> | > Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/ >> | > Cheese of the month: Cheshire (not to be underestimated) >> | > >> | > | -----Original Message----- >> | > | From: bod...@li... >> | > [mailto:bodington- >> | > | dev...@li...] On Behalf Of Andrew >> Booth >> | > | Sent: 06 June 2005 12:51 >> | > | To: bod...@li... >> | > | Cc: Andrew Booth >> | > | Subject: [Bodington-developers] Bodington with SP and IdP >> | > | >> | > | Just to keep you up to date, we now have two bodingtons >> | > communicating IdP >> | > | to >> | > | SP and we have automatic account creation working at the SP >> end. It >> | > | shouldn't take too long to get the groups sorted as well. >> | > | >> | > | At the Bodington behind the SP, we have mapped /site and / >> | > shibsite to the >> | > | same bodington servlet. The Shibboleth servlet filter is set to >> | > protect >> | > | the >> | > | /shibsite URLs but not the /site ones, so the same resources >> can be >> | > | shib-protected or not depending on the URL used. >> | > | >> | > | One thing that we need to point out is that usernames created >> in the >> | > | SP-protected bodington are of the form >> | > use...@my... - we >> | > | therefore need to increase the size of the username field in the >> | > database, >> | > | which is currently 30 characters wide. We propose to increase it >> | > to 128 >> | > | characters. (The same had to be done with mvnForum to cope with >> | > usernames >> | > | of >> | > | this kind.) >> | > | >> | > | Do either of these changes (servlet mapping and field width) >> break >> | > | anything >> | > | anyone else is doing? >> | > | >> | > | Aggie and Atif >> | > | >> | > | >> | > | >> | > | >> | > | >> | > | ------------------------------------------------------- >> | > | This SF.Net email is sponsored by: NEC IT Guy Games. How far >> can >> | > you >> | > | shotput >> | > | a projector? How fast can you ride your desk chair down the >> | > office luge >> | > | track? >> | > | If you want to score the big prize, get to know the little guy. >> | > | Play to win an NEC 61" plasma display: http:// >> www.necitguy.com/?r >> | > | _______________________________________________ >> | > | Bodington-developers mailing list >> | > | Bod...@li... >> | > | https://lists.sourceforge.net/lists/listinfo/bodington- >> developers >> | > >> | > >> | > >> | > >> | > ------------------------------------------------------- >> | > SF.Net email is sponsored by: Discover Easy Linux Migration >> Strategies >> | > from IBM. Find simple to follow Roadmaps, straightforward >> articles, >> | > informative Webcasts and more! Get everything you need to get >> up to >> | > speed, fast. http://ads.osdn.com/? >> ad_id=3D7477&alloc_id=3D16492&op=3Dclick >> | > _______________________________________________ >> | > Bodington-developers mailing list >> | > Bod...@li... >> | > https://lists.sourceforge.net/lists/listinfo/bodington-developers >> | > >> | >> | >> | >> | ------------------------------------------------------- >> | SF.Net email is sponsored by: Discover Easy Linux Migration >> Strategies >> | from IBM. Find simple to follow Roadmaps, straightforward articles, >> | informative Webcasts and more! Get everything you need to get up to >> | speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3D= click >> | _______________________________________________ >> | Bodington-developers mailing list >> | Bod...@li... >> | https://lists.sourceforge.net/lists/listinfo/bodington-developers >> >> >> >> >> ------------------------------------------------------- >> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies >> from IBM. Find simple to follow Roadmaps, straightforward articles, >> informative Webcasts and more! Get everything you need to get up to >> speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dc= lick >> _______________________________________________ >> Bodington-developers mailing list >> Bod...@li... >> https://lists.sourceforge.net/lists/listinfo/bodington-developers >> > > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dcl= ick > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers > --=20 Sean Mehan Head of Computing Research SMO, UHI |
|
From: Alistair Y. <ali...@sm...> - 2005-06-15 15:57:01
|
> Is this a tool to change your password once you have authenticated =20 > to bod yes > And therefore it changes in the external store no it doesn't know anything about external stores. It will break with =20 anything other than the standard bodington authenticator - well I =20 know it will break with the ldap one as it doesn't store passwords in =20= the database as they're clear text! I think the best thing to do is get the authenticator to override =20 where that link points to, if that's possible. Alistair On 15 Jun 2005, at 16:48, Sean Mehan wrote: > yesss..... > > perhaps i'm thick (shut yer gob, alistair) but I don't understand the > motivation in this one. > > Is this a tool to change your password once you have authenticated =20 > to bod > already? And therefore it changes in the external store? is that a =20 > good > thing? > > s > > > <quote who=3D"Alistair Young"> > >> If you're using ldap or webauth you can't change the password in bod. >> The IdP and SSO have no effect on bod at all - the change password >> option is a problem for the bodington authenticator. >> >> Is there a way to override the end point that the change password >> link points to? perhaps add Authenticator.changePasswordURL or >> something? >> >> that way, when an authenticator other than the standard one is >> installed, it will change what "change password" points to. In most >> cases it should just point to the URL of the helpdesk! >> >> Alistair >> >> On 15 Jun 2005, at 16:17, Adam Marshall wrote: >> >> >>> When using shibb one doesn't want a 'change password' link that >>> takes the >>> user to bodington's internal change password page. Quite where such >>> a link >>> should take the user is another matter. I guess that means there >>> should be >>> any 'change password' links in bod at all if using some form of SSO. >>> >>> adam >>> >>> -- >>> Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. >>> Shameless plug: Use the Bodington VLE http://bodington.org >>> Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/ >>> Cheese of the month: Cheshire (not to be underestimated) >>> >>> | -----Original Message----- >>> | From: bod...@li... >>> [mailto:bodington- >>> | dev...@li...] On Behalf Of Alistair =20 >>> Young >>> | Sent: 15 June 2005 15:54 >>> | To: bod...@li... >>> | Subject: Re: [Bodington-developers] Bodington with SP and IdP - >>> SSO and >>> | v2.6 >>> | >>> | IdP and SSO don't affect bodington so they can go into head any >>> time. >>> | >>> | Alistair >>> | >>> | >>> | On 15 Jun 2005, at 15:49, Adam Marshall wrote: >>> | >>> | > Will this go into 2.6? If so I'd suggest that it is added to =20 >>> head >>> | > AFTER >>> | > Aleixis's's's' WebAuth / SSO modific's as there will be the same >>> | > issues with >>> | > 'change password' links and text about 'logout' which he has now >>> | > predicated. >>> | > >>> | > adam >>> | > >>> | > -- >>> | > Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. >>> | > Shameless plug: Use the Bodington VLE http://bodington.org >>> | > Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/ >>> | > Cheese of the month: Cheshire (not to be underestimated) >>> | > >>> | > | -----Original Message----- >>> | > | From: bod...@li... >>> | > [mailto:bodington- >>> | > | dev...@li...] On Behalf Of Andrew >>> Booth >>> | > | Sent: 06 June 2005 12:51 >>> | > | To: bod...@li... >>> | > | Cc: Andrew Booth >>> | > | Subject: [Bodington-developers] Bodington with SP and IdP >>> | > | >>> | > | Just to keep you up to date, we now have two bodingtons >>> | > communicating IdP >>> | > | to >>> | > | SP and we have automatic account creation working at the SP >>> end. It >>> | > | shouldn't take too long to get the groups sorted as well. >>> | > | >>> | > | At the Bodington behind the SP, we have mapped /site and / >>> | > shibsite to the >>> | > | same bodington servlet. The Shibboleth servlet filter is =20 >>> set to >>> | > protect >>> | > | the >>> | > | /shibsite URLs but not the /site ones, so the same resources >>> can be >>> | > | shib-protected or not depending on the URL used. >>> | > | >>> | > | One thing that we need to point out is that usernames created >>> in the >>> | > | SP-protected bodington are of the form >>> | > use...@my... - we >>> | > | therefore need to increase the size of the username field =20 >>> in the >>> | > database, >>> | > | which is currently 30 characters wide. We propose to =20 >>> increase it >>> | > to 128 >>> | > | characters. (The same had to be done with mvnForum to cope =20 >>> with >>> | > usernames >>> | > | of >>> | > | this kind.) >>> | > | >>> | > | Do either of these changes (servlet mapping and field width) >>> break >>> | > | anything >>> | > | anyone else is doing? >>> | > | >>> | > | Aggie and Atif >>> | > | >>> | > | >>> | > | >>> | > | >>> | > | >>> | > | ------------------------------------------------------- >>> | > | This SF.Net email is sponsored by: NEC IT Guy Games. How far >>> can >>> | > you >>> | > | shotput >>> | > | a projector? How fast can you ride your desk chair down the >>> | > office luge >>> | > | track? >>> | > | If you want to score the big prize, get to know the little =20 >>> guy. >>> | > | Play to win an NEC 61" plasma display: http:// >>> www.necitguy.com/?r >>> | > | _______________________________________________ >>> | > | Bodington-developers mailing list >>> | > | Bod...@li... >>> | > | https://lists.sourceforge.net/lists/listinfo/bodington- >>> developers >>> | > >>> | > >>> | > >>> | > >>> | > ------------------------------------------------------- >>> | > SF.Net email is sponsored by: Discover Easy Linux Migration >>> Strategies >>> | > from IBM. Find simple to follow Roadmaps, straightforward >>> articles, >>> | > informative Webcasts and more! Get everything you need to get >>> up to >>> | > speed, fast. http://ads.osdn.com/? >>> ad_id=3D7477&alloc_id=3D16492&op=3Dclick >>> | > _______________________________________________ >>> | > Bodington-developers mailing list >>> | > Bod...@li... >>> | > https://lists.sourceforge.net/lists/listinfo/bodington-=20 >>> developers >>> | > >>> | >>> | >>> | >>> | ------------------------------------------------------- >>> | SF.Net email is sponsored by: Discover Easy Linux Migration >>> Strategies >>> | from IBM. Find simple to follow Roadmaps, straightforward =20 >>> articles, >>> | informative Webcasts and more! Get everything you need to get =20 >>> up to >>> | speed, fast. http://ads.osdn.com/?=20 >>> ad_id=3D7477&alloc_id=3D16492&op=3Dclick >>> | _______________________________________________ >>> | Bodington-developers mailing list >>> | Bod...@li... >>> | https://lists.sourceforge.net/lists/listinfo/bodington-developers >>> >>> >>> >>> >>> ------------------------------------------------------- >>> SF.Net email is sponsored by: Discover Easy Linux Migration =20 >>> Strategies >>> from IBM. Find simple to follow Roadmaps, straightforward articles, >>> informative Webcasts and more! Get everything you need to get up to >>> speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dc= lick >>> _______________________________________________ >>> Bodington-developers mailing list >>> Bod...@li... >>> https://lists.sourceforge.net/lists/listinfo/bodington-developers >>> >>> >> >> >> >> ------------------------------------------------------- >> SF.Net email is sponsored by: Discover Easy Linux Migration =20 >> Strategies >> from IBM. Find simple to follow Roadmaps, straightforward articles, >> informative Webcasts and more! Get everything you need to get up to >> speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dcl= ick >> _______________________________________________ >> Bodington-developers mailing list >> Bod...@li... >> https://lists.sourceforge.net/lists/listinfo/bodington-developers >> >> > > > --=20 > Sean Mehan > Head of Computing Research > SMO, UHI > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id=16492&op=3Dclick > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers > |
|
From: Adam M. <ada...@co...> - 2005-06-15 16:11:41
|
-- Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. Shameless plug: Use the Bodington VLE http://bodington.org Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/ Cheese of the month: Cheshire (not to be underestimated) | -----Original Message----- | From: bod...@li... [mailto:bodington- | dev...@li...] On Behalf Of Alistair Young | Sent: 15 June 2005 16:29 | To: bod...@li... | Subject: Re: [Bodington-developers] Bodington with SP and IdP - SSO and | v2.6 | | If you're using ldap or webauth you can't change the password in bod. | The IdP and SSO have no effect on bod at all - the change password | option is a problem for the bodington authenticator. | | Is there a way to override the end point that the change password | link points to? perhaps add Authenticator.changePasswordURL or | something? | | that way, when an authenticator other than the standard one is | installed, it will change what "change password" points to. In most | cases it should just point to the URL of the helpdesk! | But with shibb it needs to go back to the change password page or helpdesk of the users home institution! Probably best just having a sentence saying if you want to change your password then contact your local sysadmin! adam | Alistair | | On 15 Jun 2005, at 16:17, Adam Marshall wrote: | | > When using shibb one doesn't want a 'change password' link that | > takes the | > user to bodington's internal change password page. Quite where such | > a link | > should take the user is another matter. I guess that means there | > should be | > any 'change password' links in bod at all if using some form of SSO. | > | > adam | > | > -- | > Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. | > Shameless plug: Use the Bodington VLE http://bodington.org | > Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/ | > Cheese of the month: Cheshire (not to be underestimated) | > | > | -----Original Message----- | > | From: bod...@li... | > [mailto:bodington- | > | dev...@li...] On Behalf Of Alistair Young | > | Sent: 15 June 2005 15:54 | > | To: bod...@li... | > | Subject: Re: [Bodington-developers] Bodington with SP and IdP - | > SSO and | > | v2.6 | > | | > | IdP and SSO don't affect bodington so they can go into head any | > time. | > | | > | Alistair | > | | > | | > | On 15 Jun 2005, at 15:49, Adam Marshall wrote: | > | | > | > Will this go into 2.6? If so I'd suggest that it is added to head | > | > AFTER | > | > Aleixis's's's' WebAuth / SSO modific's as there will be the same | > | > issues with | > | > 'change password' links and text about 'logout' which he has now | > | > predicated. | > | > | > | > adam | > | > | > | > -- | > | > Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN. | > | > Shameless plug: Use the Bodington VLE http://bodington.org | > | > Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/ | > | > Cheese of the month: Cheshire (not to be underestimated) | > | > | > | > | -----Original Message----- | > | > | From: bod...@li... | > | > [mailto:bodington- | > | > | dev...@li...] On Behalf Of Andrew | > Booth | > | > | Sent: 06 June 2005 12:51 | > | > | To: bod...@li... | > | > | Cc: Andrew Booth | > | > | Subject: [Bodington-developers] Bodington with SP and IdP | > | > | | > | > | Just to keep you up to date, we now have two bodingtons | > | > communicating IdP | > | > | to | > | > | SP and we have automatic account creation working at the SP | > end. It | > | > | shouldn't take too long to get the groups sorted as well. | > | > | | > | > | At the Bodington behind the SP, we have mapped /site and / | > | > shibsite to the | > | > | same bodington servlet. The Shibboleth servlet filter is set to | > | > protect | > | > | the | > | > | /shibsite URLs but not the /site ones, so the same resources | > can be | > | > | shib-protected or not depending on the URL used. | > | > | | > | > | One thing that we need to point out is that usernames created | > in the | > | > | SP-protected bodington are of the form | > | > use...@my... - we | > | > | therefore need to increase the size of the username field in the | > | > database, | > | > | which is currently 30 characters wide. We propose to increase it | > | > to 128 | > | > | characters. (The same had to be done with mvnForum to cope with | > | > usernames | > | > | of | > | > | this kind.) | > | > | | > | > | Do either of these changes (servlet mapping and field width) | > break | > | > | anything | > | > | anyone else is doing? | > | > | | > | > | Aggie and Atif | > | > | | > | > | | > | > | | > | > | | > | > | | > | > | ------------------------------------------------------- | > | > | This SF.Net email is sponsored by: NEC IT Guy Games. How far | > can | > | > you | > | > | shotput | > | > | a projector? How fast can you ride your desk chair down the | > | > office luge | > | > | track? | > | > | If you want to score the big prize, get to know the little guy. | > | > | Play to win an NEC 61" plasma display: http:// | > www.necitguy.com/?r | > | > | _______________________________________________ | > | > | Bodington-developers mailing list | > | > | Bod...@li... | > | > | https://lists.sourceforge.net/lists/listinfo/bodington- | > developers | > | > | > | > | > | > | > | > | > | > ------------------------------------------------------- | > | > SF.Net email is sponsored by: Discover Easy Linux Migration | > Strategies | > | > from IBM. Find simple to follow Roadmaps, straightforward | > articles, | > | > informative Webcasts and more! Get everything you need to get | > up to | > | > speed, fast. http://ads.osdn.com/? | > ad_id=7477&alloc_id=16492&op=click | > | > _______________________________________________ | > | > Bodington-developers mailing list | > | > Bod...@li... | > | > https://lists.sourceforge.net/lists/listinfo/bodington-developers | > | > | > | | > | | > | | > | ------------------------------------------------------- | > | SF.Net email is sponsored by: Discover Easy Linux Migration | > Strategies | > | from IBM. Find simple to follow Roadmaps, straightforward articles, | > | informative Webcasts and more! Get everything you need to get up to | > | speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click | > | _______________________________________________ | > | Bodington-developers mailing list | > | Bod...@li... | > | https://lists.sourceforge.net/lists/listinfo/bodington-developers | > | > | > | > | > ------------------------------------------------------- | > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies | > from IBM. Find simple to follow Roadmaps, straightforward articles, | > informative Webcasts and more! Get everything you need to get up to | > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click | > _______________________________________________ | > Bodington-developers mailing list | > Bod...@li... | > https://lists.sourceforge.net/lists/listinfo/bodington-developers | > | | | | ------------------------------------------------------- | SF.Net email is sponsored by: Discover Easy Linux Migration Strategies | from IBM. Find simple to follow Roadmaps, straightforward articles, | informative Webcasts and more! Get everything you need to get up to | speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click | _______________________________________________ | Bodington-developers mailing list | Bod...@li... | https://lists.sourceforge.net/lists/listinfo/bodington-developers |
|
From: Alistair Y. <ali...@sm...> - 2005-06-15 16:21:44
|
> But with shibb
Let's forget shibb exsts for the moment. The IdP is a hoax! it has
nothing to do with bodington! If you have a standard bodington, with
a standard authenticator then you can change your password in
bodington no matter what Guanxi does with your attributes - Guanxi
doesn't authenticate you - bodington does.
You only need to worry about the "change password" functionality if
you're not using the standard bodington authenticator, i.e. you're
using the ldap or webauth one. You can do this without every having
heard of shibb.
IdP/SSO have nothing to do with bodington authentication!
while (needingACake() ) {
jumpUpAndDown();
}
Alistair
On 15 Jun 2005, at 17:11, Adam Marshall wrote:
>
>
> --
> Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN.
> Shameless plug: Use the Bodington VLE http://bodington.org
> Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/
> Cheese of the month: Cheshire (not to be underestimated)
>
> | -----Original Message-----
> | From: bod...@li...
> [mailto:bodington-
> | dev...@li...] On Behalf Of Alistair Young
> | Sent: 15 June 2005 16:29
> | To: bod...@li...
> | Subject: Re: [Bodington-developers] Bodington with SP and IdP -
> SSO and
> | v2.6
> |
> | If you're using ldap or webauth you can't change the password in
> bod.
> | The IdP and SSO have no effect on bod at all - the change password
> | option is a problem for the bodington authenticator.
> |
> | Is there a way to override the end point that the change password
> | link points to? perhaps add Authenticator.changePasswordURL or
> | something?
> |
> | that way, when an authenticator other than the standard one is
> | installed, it will change what "change password" points to. In most
> | cases it should just point to the URL of the helpdesk!
> |
>
> But with shibb it needs to go back to the change password page or
> helpdesk
> of the users home institution!
>
> Probably best just having a sentence saying if you want to change your
> password then contact your local sysadmin!
>
> adam
>
> | Alistair
> |
> | On 15 Jun 2005, at 16:17, Adam Marshall wrote:
> |
> | > When using shibb one doesn't want a 'change password' link that
> | > takes the
> | > user to bodington's internal change password page. Quite where
> such
> | > a link
> | > should take the user is another matter. I guess that means there
> | > should be
> | > any 'change password' links in bod at all if using some form of
> SSO.
> | >
> | > adam
> | >
> | > --
> | > Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN.
> | > Shameless plug: Use the Bodington VLE http://bodington.org
> | > Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/
> | > Cheese of the month: Cheshire (not to be underestimated)
> | >
> | > | -----Original Message-----
> | > | From: bod...@li...
> | > [mailto:bodington-
> | > | dev...@li...] On Behalf Of Alistair
> Young
> | > | Sent: 15 June 2005 15:54
> | > | To: bod...@li...
> | > | Subject: Re: [Bodington-developers] Bodington with SP and IdP -
> | > SSO and
> | > | v2.6
> | > |
> | > | IdP and SSO don't affect bodington so they can go into head any
> | > time.
> | > |
> | > | Alistair
> | > |
> | > |
> | > | On 15 Jun 2005, at 15:49, Adam Marshall wrote:
> | > |
> | > | > Will this go into 2.6? If so I'd suggest that it is added
> to head
> | > | > AFTER
> | > | > Aleixis's's's' WebAuth / SSO modific's as there will be the
> same
> | > | > issues with
> | > | > 'change password' links and text about 'logout' which he
> has now
> | > | > predicated.
> | > | >
> | > | > adam
> | > | >
> | > | > --
> | > | > Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN.
> | > | > Shameless plug: Use the Bodington VLE http://
> bodington.org
> | > | > Blog: http://ramble.oucs.ox.ac.uk/blog/adamm/
> | > | > Cheese of the month: Cheshire (not to be underestimated)
> | > | >
> | > | > | -----Original Message-----
> | > | > | From: bod...@li...
> | > | > [mailto:bodington-
> | > | > | dev...@li...] On Behalf Of Andrew
> | > Booth
> | > | > | Sent: 06 June 2005 12:51
> | > | > | To: bod...@li...
> | > | > | Cc: Andrew Booth
> | > | > | Subject: [Bodington-developers] Bodington with SP and IdP
> | > | > |
> | > | > | Just to keep you up to date, we now have two bodingtons
> | > | > communicating IdP
> | > | > | to
> | > | > | SP and we have automatic account creation working at the SP
> | > end. It
> | > | > | shouldn't take too long to get the groups sorted as well.
> | > | > |
> | > | > | At the Bodington behind the SP, we have mapped /site and /
> | > | > shibsite to the
> | > | > | same bodington servlet. The Shibboleth servlet filter is
> set to
> | > | > protect
> | > | > | the
> | > | > | /shibsite URLs but not the /site ones, so the same resources
> | > can be
> | > | > | shib-protected or not depending on the URL used.
> | > | > |
> | > | > | One thing that we need to point out is that usernames
> created
> | > in the
> | > | > | SP-protected bodington are of the form
> | > | > use...@my... - we
> | > | > | therefore need to increase the size of the username field
> in the
> | > | > database,
> | > | > | which is currently 30 characters wide. We propose to
> increase it
> | > | > to 128
> | > | > | characters. (The same had to be done with mvnForum to
> cope with
> | > | > usernames
> | > | > | of
> | > | > | this kind.)
> | > | > |
> | > | > | Do either of these changes (servlet mapping and field width)
> | > break
> | > | > | anything
> | > | > | anyone else is doing?
> | > | > |
> | > | > | Aggie and Atif
> | > | > |
> | > | > |
> | > | > |
> | > | > |
> | > | > |
> | > | > | -------------------------------------------------------
> | > | > | This SF.Net email is sponsored by: NEC IT Guy Games. How
> far
> | > can
> | > | > you
> | > | > | shotput
> | > | > | a projector? How fast can you ride your desk chair down the
> | > | > office luge
> | > | > | track?
> | > | > | If you want to score the big prize, get to know the
> little guy.
> | > | > | Play to win an NEC 61" plasma display: http://
> | > www.necitguy.com/?r
> | > | > | _______________________________________________
> | > | > | Bodington-developers mailing list
> | > | > | Bod...@li...
> | > | > | https://lists.sourceforge.net/lists/listinfo/bodington-
> | > developers
> | > | >
> | > | >
> | > | >
> | > | >
> | > | > -------------------------------------------------------
> | > | > SF.Net email is sponsored by: Discover Easy Linux Migration
> | > Strategies
> | > | > from IBM. Find simple to follow Roadmaps, straightforward
> | > articles,
> | > | > informative Webcasts and more! Get everything you need to get
> | > up to
> | > | > speed, fast. http://ads.osdn.com/?
> | > ad_id=7477&alloc_id=16492&op=click
> | > | > _______________________________________________
> | > | > Bodington-developers mailing list
> | > | > Bod...@li...
> | > | > https://lists.sourceforge.net/lists/listinfo/bodington-
> developers
> | > | >
> | > |
> | > |
> | > |
> | > | -------------------------------------------------------
> | > | SF.Net email is sponsored by: Discover Easy Linux Migration
> | > Strategies
> | > | from IBM. Find simple to follow Roadmaps, straightforward
> articles,
> | > | informative Webcasts and more! Get everything you need to get
> up to
> | > | speed, fast. http://ads.osdn.com/?
> ad_id=7477&alloc_id=16492&op=click
> | > | _______________________________________________
> | > | Bodington-developers mailing list
> | > | Bod...@li...
> | > | https://lists.sourceforge.net/lists/listinfo/bodington-
> developers
> | >
> | >
> | >
> | >
> | > -------------------------------------------------------
> | > SF.Net email is sponsored by: Discover Easy Linux Migration
> Strategies
> | > from IBM. Find simple to follow Roadmaps, straightforward
> articles,
> | > informative Webcasts and more! Get everything you need to get
> up to
> | > speed, fast. http://ads.osdn.com/?
> ad_id=7477&alloc_id=16492&op=click
> | > _______________________________________________
> | > Bodington-developers mailing list
> | > Bod...@li...
> | > https://lists.sourceforge.net/lists/listinfo/bodington-developers
> | >
> |
> |
> |
> | -------------------------------------------------------
> | SF.Net email is sponsored by: Discover Easy Linux Migration
> Strategies
> | from IBM. Find simple to follow Roadmaps, straightforward articles,
> | informative Webcasts and more! Get everything you need to get up to
> | speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> | _______________________________________________
> | Bodington-developers mailing list
> | Bod...@li...
> | https://lists.sourceforge.net/lists/listinfo/bodington-developers
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Bodington-developers mailing list
> Bod...@li...
> https://lists.sourceforge.net/lists/listinfo/bodington-developers
>
|
|
From: Matthew B. <mat...@co...> - 2005-06-15 16:34:52
|
Alistair Young wrote: >> But with shibb > > Let's forget shibb exsts for the moment. The IdP is a hoax! it has > nothing to do with bodington! If you have a standard bodington, with a > standard authenticator then you can change your password in bodington > no matter what Guanxi does with your attributes - Guanxi doesn't > authenticate you - bodington does. > > You only need to worry about the "change password" functionality if > you're not using the standard bodington authenticator, i.e. you're > using the ldap or webauth one. You can do this without every having > heard of shibb. > > IdP/SSO have nothing to do with bodington authentication! I think the problem is because some people are talking about Bodington being an SP and some people are talking about Bodington being an IdP. IdP doesn't need anything to do with changing password. SP does need to know about password changing. -- +--Matthew Buckett-----------------------------------------+ | VLE Developer, Learning Technologies Group | | Tel: +44 (0) 1865 283660 http://www.oucs.ox.ac.uk/ | +------------Computing Services, University of Oxford------+ |
|
From: Andrew B. <a.g...@le...> - 2005-06-15 16:57:27
|
The Bodington SP shim only needs to know the username. There is no eduPerson attribute for conveying a password. This isn't a problem, because the shim can rely on the fact that by the time SP allows access, authentication has already happened - it only needs to know who the user is. Aggie -----Original Message----- From: bod...@li... [mailto:bod...@li...] On Behalf Of Matthew Buckett Sent: 15 June 2005 17:35 To: bod...@li... Subject: Re: [Bodington-developers] Bodington with SP and IdP - SSO and v2.6 Alistair Young wrote: >> But with shibb > > Let's forget shibb exsts for the moment. The IdP is a hoax! it has > nothing to do with bodington! If you have a standard bodington, with a > standard authenticator then you can change your password in bodington > no matter what Guanxi does with your attributes - Guanxi doesn't > authenticate you - bodington does. > > You only need to worry about the "change password" functionality if > you're not using the standard bodington authenticator, i.e. you're > using the ldap or webauth one. You can do this without every having > heard of shibb. > > IdP/SSO have nothing to do with bodington authentication! I think the problem is because some people are talking about Bodington being an SP and some people are talking about Bodington being an IdP. IdP doesn't need anything to do with changing password. SP does need to know about password changing. -- +--Matthew Buckett-----------------------------------------+ | VLE Developer, Learning Technologies Group | | Tel: +44 (0) 1865 283660 http://www.oucs.ox.ac.uk/ | +------------Computing Services, University of Oxford------+ ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Bodington-developers mailing list Bod...@li... https://lists.sourceforge.net/lists/listinfo/bodington-developers |
|
From: Alistair Y. <ali...@sm...> - 2005-06-15 18:09:26
|
IdP/SP don't have anything at all to do with bod passwords. If you're using a bod authenticator that authenticates outwith bodington then you'l= l have the problem of changing passwords. Whether it's ldap/webauth/windows= . To sort it, somehow tie the authenticator to the change password functionality, i.e. ldap would disable it entirely. Even if you login with a windows username/password (though I don't think you can - bod can't authenticate to windows) you still can't change that password in bod. If bod becomes part of a larger SSO solution, such as ldap or webauth the= n it's password changing functionality should be disabled. Now we're on the subject I think it's time bod stopped storing passwords in plain text. Alistair --=20 Alistair Young Senior Software Engineer UHI@Sabhal M=F2r Ostaig Isle of Skye Scotland > Alistair Young wrote: >>> But with shibb >> >> Let's forget shibb exsts for the moment. The IdP is a hoax! it has >> nothing to do with bodington! If you have a standard bodington, with = a >> standard authenticator then you can change your password in bodington >> no matter what Guanxi does with your attributes - Guanxi doesn't >> authenticate you - bodington does. >> >> You only need to worry about the "change password" functionality if >> you're not using the standard bodington authenticator, i.e. you're >> using the ldap or webauth one. You can do this without every having >> heard of shibb. >> >> IdP/SSO have nothing to do with bodington authentication! > > I think the problem is because some people are talking about Bodington > being an SP and some people are talking about Bodington being an IdP. > > IdP doesn't need anything to do with changing password. > SP does need to know about password changing. > > -- > +--Matthew Buckett-----------------------------------------+ > | VLE Developer, Learning Technologies Group | > | Tel: +44 (0) 1865 283660 http://www.oucs.ox.ac.uk/ | > +------------Computing Services, University of Oxford------+ > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dcl= ick > _______________________________________________ > Bodington-developers mailing list > Bod...@li... > https://lists.sourceforge.net/lists/listinfo/bodington-developers > |
|
From: Matthew B. <mat...@co...> - 2005-06-22 11:42:17
Attachments:
encrypt_passwd.txt
|
Alistair Young wrote: > Now we're on the subject I think it's time bod stopped storing passwords > in plain text. Attached is a slightly cleaned up version of my patch. The current solution isn't very beautiful, but I think it works. Part of the problem is that password changing is done is several ways and different parts of the codebase do it differently, cleaning that up is a much more complicated and tricky job. My patch makes encrypted passwords enforced (for new passwords and changes to existing ones) although old unencrypted passwords continue to work for login purposes. NB: It looked like John had started work on this but never completed it. PassPhrase.encrypt() was already in the codebase. -- +--Matthew Buckett-----------------------------------------+ | VLE Developer, Learning Technologies Group | | Tel: +44 (0) 1865 283660 http://www.oucs.ox.ac.uk/ | +------------Computing Services, University of Oxford------+ |
|
From: Andrew B. <a.g...@le...> - 2005-06-22 12:05:28
|
PassPhrase.encrypt is there because the passwords were originally encrypted. Jon found a bug and used unencrypted passwords while he fixed it. It never got put back. Aggie -----Original Message----- From: bod...@li... [mailto:bod...@li...] On Behalf Of Matthew Buckett Sent: 22 June 2005 12:42 To: bod...@li... Subject: Encrypted Bodington Passwords (was Re: [Bodington-developers] Bodington with SP and IdP - SSO and v2.6) Alistair Young wrote: > Now we're on the subject I think it's time bod stopped storing passwords > in plain text. Attached is a slightly cleaned up version of my patch. The current solution isn't very beautiful, but I think it works. Part of the problem is that password changing is done is several ways and different parts of the codebase do it differently, cleaning that up is a much more complicated and tricky job. My patch makes encrypted passwords enforced (for new passwords and changes to existing ones) although old unencrypted passwords continue to work for login purposes. NB: It looked like John had started work on this but never completed it. PassPhrase.encrypt() was already in the codebase. -- +--Matthew Buckett-----------------------------------------+ | VLE Developer, Learning Technologies Group | | Tel: +44 (0) 1865 283660 http://www.oucs.ox.ac.uk/ | +------------Computing Services, University of Oxford------+ |
|
From: Matthew B. <mat...@co...> - 2005-06-22 12:14:52
|
Andrew Booth wrote: > PassPhrase.encrypt is there because the passwords were originally > encrypted. Jon found a bug and used unencrypted passwords while he fixed > it. It never got put back. Do you know what the bug was? -- +--Matthew Buckett-----------------------------------------+ | VLE Developer, Learning Technologies Group | | Tel: +44 (0) 1865 283660 http://www.oucs.ox.ac.uk/ | +------------Computing Services, University of Oxford------+ |
|
From: Andrew B. <a.g...@le...> - 2005-06-22 13:08:49
|
It may not have been a bug. I remember he set up a system whereby he copied the algorithm used by our computing service for generating students' initial passwords from date of birth etc. He used plaintext passwords to check that it gave the same result as the computing service. I think this may have been the point at which it didn't get put back. But it's some time ago... Aggie -----Original Message----- From: bod...@li... [mailto:bod...@li...] On Behalf Of Matthew Buckett Sent: 22 June 2005 13:15 To: bod...@li... Subject: [Bodington-developers] Re: Encrypted Bodington Passwords (was Re: [Bodington-developers] Bodington with SP and IdP - SSO and v2.6) Andrew Booth wrote: > PassPhrase.encrypt is there because the passwords were originally > encrypted. Jon found a bug and used unencrypted passwords while he fixed > it. It never got put back. Do you know what the bug was? -- +--Matthew Buckett-----------------------------------------+ | VLE Developer, Learning Technologies Group | | Tel: +44 (0) 1865 283660 http://www.oucs.ox.ac.uk/ | +------------Computing Services, University of Oxford------+ ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Bodington-developers mailing list Bod...@li... https://lists.sourceforge.net/lists/listinfo/bodington-developers |
|
From: Matthew B. <mat...@co...> - 2005-06-24 12:46:12
|
Andrew Booth wrote: > It may not have been a bug. I remember he set up a system whereby he > copied the algorithm used by our computing service for generating > students' initial passwords from date of birth etc. He used plaintext > passwords to check that it gave the same result as the computing > service. I think this may have been the point at which it didn't get put > back. But it's some time ago... Thanks Aggie. -- +--Matthew Buckett-----------------------------------------+ | VLE Developer, Learning Technologies Group | | Tel: +44 (0) 1865 283660 http://www.oucs.ox.ac.uk/ | +------------Computing Services, University of Oxford------+ |
|
From: Antony C. <an...@sm...> - 2005-06-15 17:55:39
|
Dr Sean Mehan, despite suffering random attacks from local waiters, bar staff and swimming pool attendants, earlier today filed several interesting reports that give further insight in to developments in the VLE world. You can read this here http://www.weblogs.uhi.ac.uk/sm00sm/ |
|
From: M. B. <mat...@co...> - 2005-06-15 19:38:06
|
Alistair Young wrote: > IdP/SP don't have anything at all to do with bod passwords. If you're > using a bod authenticator that authenticates outwith bodington then you'll > have the problem of changing passwords. Whether it's ldap/webauth/windows. > > To sort it, somehow tie the authenticator to the change password > functionality, i.e. ldap would disable it entirely. I think this is what we are talking about. Some Authenticators would want to disable the changing of passwords (WebAuth, Shibb SP, etc). > Even if you login with a windows username/password (though I don't think > you can - bod can't authenticate to windows) you still can't change that > password in bod. Yep, so the Windows password authenticator should return false from isPasswordChangable() and the template should display differently as a result. > If bod becomes part of a larger SSO solution, such as ldap or webauth then > it's password changing functionality should be disabled. > > Now we're on the subject I think it's time bod stopped storing passwords > in plain text. > Indeed. I had a quick look at this a little while ago and I think I have a patch hanging around somewhere which was a half hack at this. It wasn't as easy as I had hoped as the API was a bit muddled but I'll try and dig it out clean it up and send it to the list. -- +--Matthew Buckett-----------------------------------------+ | VLE Developer, Learning Technologies Group | | Tel: +44 (0) 1865 283660 http://www.oucs.ox.ac.uk/ | +------------Computing Services, University of Oxford------+ |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X