Re: Mango passwords and instructions?

[Olav Vitters <olav bkor dhs org>]

On Sun, Jun 01, 2008 at 06:21:57PM +0200, Christian Rose wrote:
> On 9/29/07, Olav Vitters <olav bkor dhs org> wrote:
> There seems to be a bunch of "what's my Mango password?" tickets
> stalled in RT3.
> I'd like to know what I should answer the requestors. Is there a simple answer?
> I tried

Depends if they want to retrieve their password or reset it. Resetting
is very annoying. This as
a) I don't want people being able to login to the main LDAP server (even
if there is a command restriction)
b) Even if those logins would be allowed, I wouldn't trust a suid reset
command
c) Socket cannot change the password anyway as it is not the main LDAP
server (could be done if everything uses openldap 2.4+.. RHEL5 has 2.3)
d) MAINTAINERS file crappiness

Long term, I want people to use GPG instead of passwords. Then the
password is only there for some services like e.g. Jabber. I don't know
much about LDAP (finally understand it somewhat since the last few
days!)
If people would need a password reset, they'd login to Mango using GPG,
then click the 'new password' button. This would give them a new
password. It is stalled due to lack of resources (would appreciate more
help with building new infrastructure).

Note: The reason I haven't implemented GPG yet is only due to not
getting to it (it is difficult). I'm not going to ask for consensus. It
will be implemented. I don't mind if people don't want it, it will be
their problem if they want to give a new developer an SVN account, etc.

Btw, to reset someones password so below command works again, follow the
instructions in
  http://svn.gnome.org/viewvc/sysadmin-bin/trunk/handle-ldap-modules?view=markup

Basically, use two gnome-terminal tabs, then in each:
  ssh -L 1389:localhost:389 label
  ssh -R 1389:localhost:1389 socket

This allows socket to have a connection to the main LDAP server.

Then do something *as root* like:
  /home/admin/bin/handle-ldap-modules reset-passwd $UID1 $UID2 $UID3

The SSH encapsulation ensures security (nobody will be able to read the
password by sniffing emails).

>   ssh -l menthos svn.gnome.org mango
> 
> but it seems I'm not allowed to log into svn.gnome.org. Probably this

It is a one time password, as explained in the email everyone received.
Often people do find the email if I provide subject and date (which I
always have to lookup first).

> is also the case for most people trying. Is there currently a way to
> retrieve one's password (I'm talking about users here; fortunately I
> know my own password).

Using the command above. You're are sysadmin, so it won't work for you
as you'll get a shell instead.

See
http://svn.gnome.org/viewvc/sysadmin-bin/trunk/run-svn-or-special-cmd?view=markup
for the ugly details.

It should probably be added to the email that a maintainer/coordinator
gets. Feel free to add such info (it is not the only usability problem
with the accounts stuff).

Note: I *really* dislike the current setup with MAINTAINERS files. Much
rather use some easier parsable format like DOAP. This is why I don't do
much with it, plus didn't develop Mango for ~5 months. It will always be
a mess and require a sysadmin to sync stuff manually, then committing
the 10 fixes in various MAINTAINERS files.

> Furthermore, I found no instructions for Mango passwords on
> live.gnome.org, not even on http://live.gnome.org/Mango. The only
> piece of instructions ever seems to be
> http://blogs.gnome.org/ovitters/2007/09/26/sneak-preview-of-mango/ and
> http://blogs.gnome.org/ovitters/2007/09/29/mango-gone-live/ and the
> above mail, only findable with Google and GMail skills, and containing
> instructions that currently do not work...

It does work, for one time only. The lack of instructions is on purpose.
I can explain this via private email if needed.

Note: I might provide some ugly other method using Mango. This would require
python-paramiko on the users side. Unfortunately Mango is written in
PHP, which makes it difficult to combine (I don't want to start another
process).

-- 
Regards,
Olav