Identity and Access for

we’ll want to change how we do identity and access on (elmo).

Right now, elmo talks to ldap directly to do three things:

  • Verify passwords against ldap.
  • Get identity info for an email, i.e., first name and last name.
  • Check ldap groups and give permissions based on them.

That works OK, but has the caveat that it’s hard to understand, and it needs access to an ldap server, which if frowned upon.

Would IAM be the right alternative? What would it take?

elmo is a django 1.11.x site, to give some background on the platform environment.


1 Like


That’s good news! Moving off direct LDAP definitely makes us safer.

I’m not sure if our django python module for OIDC (an authentication standard) works with django 1.11.x or not though you can try/find it there:

Otherwise, another easy alternative is to setup an authentication proxy in front of elmo. The proxy takes care of all this and can pass HTTP headers for elmo to read, such as the username that was authenticated and their groups. Here’s an example setup

In both cases you’ll need a set of identifiers (client_id and client_secret) that you can request here: - note that it sounds like you can indicate in this request what the audience should be (such as LDAP staff + contributors, but you can also choose to allow people without LDAP accounts in as well)

There are other possible alternatives, though these are the most popular/easier to get going.

Hi @Pike,

This is great news! We will be happy to work with you on getting pontoon onto Mozilla IAM!

Tagging @johngian and @akatsoulas to answer the question of whether or not the OIDC library works on django 1.11:

Let’s catch up in a direct message to arrange a meeting and talk about a path to IAM soon.
Best regards,

Update: @Pike and I just had a conversation. Step 1 is about elmo, not pontoon. But it’s a start and would potentially open the path of getting pontoon onto Mozilla IAM. :slight_smile:

Hey all!

mozilla-django-oidc is compatible with all non-EOLed Django versions. Django == 1.11x should work fine.