After finishing the the evaluations of the SSO solutions, formorer asked me to look into integrating one of the solutions into the existing Debian SSO infrastructure. Sso.debian.org is a Django application that basically provides a way of creating and managing client certificates. It does not do authentication itself, but uses the REMOTE_USER authentication source of Django. I tested integration with lemonldap-ng, and after some troubles setting up the sso.debian.org clone on my infrastructure (thanks to Enrico for pointing me in the right direction) the authentication using the apaches authnz module worked. To integrate lemonldap-ng i only had to add a ProxyPass and a ProxyPassReverse directive in the apache config. I tested the setup using gitlab and it worked.

I’ve also added some additional features to nacho: on the one hand, i’ve added a management command that removes stale temporary accounts that have never been activated. The idea is to run that command in regular intervals via cron (or systemd timers). To implement that feature, i basically followed the howto for writing custom django-admin commands from the django manual. Based on that knowledge i then implemented two other commands that provide backup and restore functionality. The backup command prints the contents of the LDAP database on stdout in LDIF format. The restore command expects LDIF on stdin and writes those values to the ldap database. I also did some cleanup in the codebase and documented the test cases.

The third big project i looked into was to implement oauth2 authentication for one of the existing websites that use sso.debian.org. I chose nm.debian.org for that, because it is based on Django. I used a lot of time to look for existing modules for Django that implement oauth2 authentication and tesed some of them. There is for example django-allauth that provides authentication against a lot of authentication providers. I did manage to create an addiational authentication provider for Keycloak, but it seemed a bit overengineered to use such a big application for only one provider. So i sat down and wrote a small Django app that does oauth2 authentication. As soon as that worked with a clean Django installation, it took just some small adjustments to use it for the newmaintainer interface. You can find the branch on salsa