[Mageia-sysadm] [LONG] sympa ( and web apps ) ldap authentication
Olivier Thauvin
nanardon at nanardon.zarb.org
Thu Nov 25 20:54:09 CET 2010
* Romain d'Alverny (rdalverny at gmail.com) wrote:
> On Thu, Nov 25, 2010 at 18:54, Michael Scherer <misc at zarb.org> wrote:
> > Le jeudi 25 novembre 2010 à 10:50 +0100, Buchan Milne a écrit :
> > My point is that we should be consistent. Ie, if we start using
> > sometimes a username, sometimes a email ( and well, I must say "one of
> > the numerous email people have", because I am pretty sure that I am not
> > the only one to have more than 1 email ), this will be annoying.
>
> When we set up my.mandriva.com back in 2005, using the email address
> instead of login to authenticate has been a big improvement: way less
> contacts from people saying "I forgot my username" or trying to
> re-register with an already used email address and a different login
> (and then failing to do so).
>
> In this case, it may be that the cognitive effort to remember an email
> address one already uses regularly is easier than the one to remember
> a username that one may use only to authenticate (actually, that was
> the hypothesis back at the time).
It is possible to include in catdap a way to receive a reminder about
users informations from a email.
But the usage of email as login in my.mdv also make my life harder since
I never remember which one of my 5 emails was used (the same issue apply
on other website). The worst happend when I had to change my email
address because it had to disappear.
User must be able to change their email address. Changing the login will
probaby have side effect, so using email as login is probably a bad
idea.
> > We cannot use email everywhere, since some services do not support it
> > ( svn+ssh will not accept it, no @ in username IIRC, neither would the
> > current buildsystem ). And doing translation will be source of
> > confusion.
>
> Yes, that's a drawback, but an acceptable one I think:
> * only for people that will use code repositories and buildsystem; that is,
> * you are not forced to allow user identification against a single
> id; what you need is just something you know identifies the user for
> sure (if the email unicity and ownership are both proven, that's a
> pretty good hint). So you can both authenticate against email/pass and
> login/pass (and even have several email/login for that, if they are
> checked against first).
We can ensure unicity of login on our side because we have full control,
but nothing prevent to a company to give same email to several people,
or to give a previously used email address to a new employee.
If the account become important (sys admin, distrib manager), we then
cannot ensure who receive the information we send.
--
Olivier Thauvin
CNRS - LATMOS
♖ ♘ ♗ ♕ ♔ ♗ ♘ ♖
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: </pipermail/mageia-sysadm/attachments/20101125/7ae6acd8/attachment.asc>
More information about the Mageia-sysadm
mailing list