From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1QwM2k-0002J7-72 for garchives@archives.gentoo.org; Wed, 24 Aug 2011 22:35:30 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D51A721C403; Wed, 24 Aug 2011 22:35:15 +0000 (UTC) Received: from mail-fx0-f53.google.com (mail-fx0-f53.google.com [209.85.161.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 6346821C403 for ; Wed, 24 Aug 2011 22:35:15 +0000 (UTC) Received: by fxd23 with SMTP id 23so1608710fxd.40 for ; Wed, 24 Aug 2011 15:35:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:from:to:subject:date:message-id:user-agent:mime-version :content-type:content-transfer-encoding; bh=ypJchv1PII1pbIqGZovnuouXqEbGRW/A9nSlQanpxns=; b=hRBideD0pBYA410V38v6G35lxa3x4JuzOyj6lIiTyLgmk7TdHEvQ9TM5u09+cFoExq jF1v0aDbGycc7ksgq4vMgei/uUtgCWuXZkr0TOEj0KOVJeaHPATWL8XvmYii0NtSQb5o byGo87qpgiOe3RRoKq78QDGEWbCYze2Y+fev8= Received: by 10.223.23.6 with SMTP id p6mr7947204fab.112.1314225314556; Wed, 24 Aug 2011 15:35:14 -0700 (PDT) Received: from canibus.localnet (ppp-2-84-11-100.home.otenet.gr [2.84.11.100]) by mx.google.com with ESMTPS id b13sm1211480fak.40.2011.08.24.15.35.12 (version=SSLv3 cipher=OTHER); Wed, 24 Aug 2011 15:35:13 -0700 (PDT) Sender: Theo Chatzimichos From: Theo Chatzimichos To: gentoo-soc@lists.gentoo.org Subject: [gentoo-soc] Okupy - Final Report Date: Thu, 25 Aug 2011 01:35:05 +0300 Message-ID: <62594610.CbCSlFG6T6@canibus> User-Agent: KMail/4.7.0 (Linux/3.0.0-gentoo; KDE/4.7.0; x86_64; ; ) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-soc@lists.gentoo.org Reply-to: gentoo-soc@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2544679.hSsoYae6v3"; micalg="pgp-sha1"; protocol="application/pgp-signature" Content-Transfer-Encoding: 7Bit X-Archives-Salt: X-Archives-Hash: d312e2245e542893884aab0ed799ddfd --nextPart2544679.hSsoYae6v3 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Intro: Okupy is a Django CMS, with a full LDAP frontend, XML to HTML (and the opposite) converter and a WYSIWYG editor, Beacon, to edit the XML files. Ultimate goal is to fully replace current Gentoo website, and Gorg, the web server that does the XML to HTML convertion currently. In the future I'd like to see more gentoo websites being provided by Okupy. Summary: The application has a fully working and fully configurable LDAP backend. It can work with any LDAP configuration file, but it will need accordingly some setup in Okupy's settings files. It currently supports: - Creation of a new user, which means that the Gentoo LDAP server can now be enabled for non-developers - Log in of current users, using any of their verified emails - Adding new email, along with email verification - Password reset - View someone's account data (based on the privileges, the according attributes will show up) - Edit own account data (again, based on privileges, the according attributes will be available for editing) - An addressbook In order to support all users and not only developers, I had to do some internal infra discussions about which OU will be used for them. Plus, a few new values were needed for the GentooAccess attribute, such as user.group, docs.group and other privileged groups. Most LDAP backends were using an administrator account for performing both queries and changes in the data, which could easily lead to a security issue. This problem was solved by using a secondary password for the user, which is encrypted and stored in the session variable. The secondary password is available for only one session, and gets destroyed by using itself. Django uses a database to store users, but it also supports other backends for the authentication part. When the user logs in for the first time, the data gets transfered in the database, which is a significant time improvement. Anonymous common LDAP Queries are performed either by using a minimal privileged (anon) account, or they should be available to anyone (which could lead to a security issue). I used some wrappers to cover that easily. The administrator can use a lot of options in the settings files, to cover the ACL part, the initial user creation and many other aspects. As I said in my previous post, Beacon didn't work out as expected. It became too complex, consisting of lots of JS and XSLT, for reading the XML files and printing them. It even stores accounts in its own DB to keep track of the documents that users edit. This was way out of our needs, we just need the WYSIWYG part only and plug it in in a separate web app. Obviously in its current state it is not a workable solution without significant additional effort. I tried to split some parts of its code, like the python scripts for converting XML to HTML and the opposite, but the time was not sufficient. The future: I am really happy to have such an interesting pet project now. I created an ebuild in my personal overlay, and an alias (okupy at gentoo dot org) to easily contact me for future issues. I plan to make it more accessible to some people soon, but not before Robin ACKs it first, since the LDAP server he gave me for testing is full of real data. I don't feel very confident on working with that, and I'll possibly request an empty one. Before implementing, it will need too much work. Most importantly, people familiar with Web Design are very welcome to help on this. If we are going to redesign the current gentoo.org website, it is a huge step that has to be done very carefully. The LDAP part although finished will need too much testing, in order to assure we are not opening any security holes here. As for the Beacon part, it will need better approach, and most of the work has to be done upstream, which is what I intend to do from now on. It should become a single JS WYSIWYG editor that we should be able to plug in directly, since it currently is a full web application, which is using its own DB to store users and documents. If you are interested in testing it, please contact me directly for now. The installation is not very easy at the moment, due to the need of both a database and an LDAP server, but it can work with minimal configuration for development purposes. I also added some config files in a separate branch for that reason. Many thanks to my mentor, Matthew Summers, my co-mentor Robin Johnson, and the Gentoo GSoC admin Donnie Berkholz for all their help and support. Also, special thanks to Ben Cooksley, KDE Sysadmin, for his precious suggestions. -- Theo Chatzimichos | blog.tampakrap.gr Gentoo KDE/Qt, Planet, Overlays --nextPart2544679.hSsoYae6v3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEABECAAYFAk5VfJ8ACgkQjDdoMVfcAHhRcgCg6a6Dj0wobxE3ZOYsYnRT9AKh VJQAniHbIXVOAcBdC6HqyBLWMWq+sFbW =ur7H -----END PGP SIGNATURE----- --nextPart2544679.hSsoYae6v3--