Re: [Freeipa-devel] Moving our wiki back to password login

2017-05-11 Thread Martin Kosek 
On 05/09/2017 04:29 PM, Martin Kosek wrote:
> Hello all,
> 
> As some of you noticed, FreeIPA wiki authentication via OpenID was
> broken in the last days. I suspect (but did get reply from Patrick who
> running the Fedora infra yet) that it was caused by Fedora moving to
> mode modern authentication protocol, i.e. from OpenID to OpenID Connect
> (OIDC):
> https://fedoraproject.org/wiki/Infrastructure/Authentication
> 
> Unfortunately, I cannot make the OIDC login for our current FreeIPA
> instance available, given that our wiki runs on OpenShift v2 which uses
> PHP 5.3.3 cartridge, which can get us only as far as to Mediawiki 1.26.
> OIDC mediawiki authentication plugin is supported from 1.27 forward.
> 
> So the wiki needs to be either:
> - migrated to newer PHP cartridge on current Red Hat OpenShift v2 instance
> - migrated to OpenShift v3 (preferred)
> to unblock us from this situation and get to proper OIDC authentication.
> 
> However, this will need more time and preparation (which I do not even
> have right now). For now, I simply disabled OpenID authentication in our
> wiki and enabled password logins again! Anonymous account creation is
> disabled to avoid spammers. However, given that we now enforce people to
> be in a special group (editors) to fight the spammers, there is actually
> no big functionality lost in this, except having to use yet another
> password.
> 
> To summarize, if you want to access the wiki again, please use the
> password you may have had before we migrated to Fedora OpenID. If you do
> not have the password yet, you should be able to simply reset it before
> logging in and you should get an email (the mail part did not work for
> martbab this afternoon, though). In the worst case, I can reset the
> password for you, just shoot me an email.

After finally reaching Patrick, I found out that Fedora still supports
plain OpenID and it was likely just some interim error. I thus reverted
the patch for simple password login and re-enabled OpenID logins again.

Still, current situation with FreeIPA.org mediawiki version stays, we
will be unable to upgrade the wiki or most of it's plugins until we move
to a newer OpenShift instance.

Martin

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Moving our wiki back to password login

2017-05-09 Thread Martin Kosek 
Hello all,

As some of you noticed, FreeIPA wiki authentication via OpenID was
broken in the last days. I suspect (but did get reply from Patrick who
running the Fedora infra yet) that it was caused by Fedora moving to
mode modern authentication protocol, i.e. from OpenID to OpenID Connect
(OIDC):
https://fedoraproject.org/wiki/Infrastructure/Authentication

Unfortunately, I cannot make the OIDC login for our current FreeIPA
instance available, given that our wiki runs on OpenShift v2 which uses
PHP 5.3.3 cartridge, which can get us only as far as to Mediawiki 1.26.
OIDC mediawiki authentication plugin is supported from 1.27 forward.

So the wiki needs to be either:
- migrated to newer PHP cartridge on current Red Hat OpenShift v2 instance
- migrated to OpenShift v3 (preferred)
to unblock us from this situation and get to proper OIDC authentication.

However, this will need more time and preparation (which I do not even
have right now). For now, I simply disabled OpenID authentication in our
wiki and enabled password logins again! Anonymous account creation is
disabled to avoid spammers. However, given that we now enforce people to
be in a special group (editors) to fight the spammers, there is actually
no big functionality lost in this, except having to use yet another
password.

To summarize, if you want to access the wiki again, please use the
password you may have had before we migrated to Fedora OpenID. If you do
not have the password yet, you should be able to simply reset it before
logging in and you should get an email (the mail part did not work for
martbab this afternoon, though). In the worst case, I can reset the
password for you, just shoot me an email.

Thanks!

-- 
Martin Kosek 
Manager, Software Engineering - Identity Management Team
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code