FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Desktop

 
 
LinkBack Thread Tools
 
Old 05-22-2008, 08:52 PM
Dan Winship
 
Default A new user management tool

Matthias Clasen wrote:
> The main dialog

Looks too much like the OS X one, particularly in the way that "Login
Options" is in a place where it doesn't make sense.

> The Email, Language and Location fields are here because they are
> frequently useful...

I assume "Location" will tie in in some way with the improved
Location/Time Zone stuff?

> The password dialog

An alternate UI possibility would be to autogenerate a few passwords of
different strength levels and put them directly in the actions list:

Choose a password now
Choose a password at next login
Use this random password: zintelforb
Use this random password: fas42Br0x
Use this random password: y8Tx$mrA
Allow login without a password

I don't think "Disable this account" belongs in the password dialog,
even though that's how it's implemented underneath.

> We've discussed ways to generate useful hints to go along with generated
> passwords, including somewhat crazy ideas like computer*generated poetry
> (cf gnoetry).

Hm... how could that work though? Without knowing at least one "secret"
about the user besides their password, how can you autogenerate a hint
that will make sense to them (when they've forgotten their password),
but not make just as much sense to anyone else?

"Sites where people use randomly-generated passwords" and "sites that
allow password hints" are probably mostly orthogonal anyway.

-- Dan

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 
Old 05-22-2008, 09:09 PM
Matthias Clasen
 
Default A new user management tool

On Thu, 2008-05-22 at 16:52 -0400, Dan Winship wrote:
> Matthias Clasen wrote:
> > The main dialog
>
> Looks too much like the OS X one, particularly in the way that "Login
> Options" is in a place where it doesn't make sense.

Yeah. Thats only gimped in anyway, and won't work like that in a real
treeview.

> > The Email, Language and Location fields are here because they are
> > frequently useful...
>
> I assume "Location" will tie in in some way with the improved
> Location/Time Zone stuff?

You tell us :-) I don't know how much thought Jon has put into this
particular field...

> > The password dialog
>
> An alternate UI possibility would be to autogenerate a few passwords of
> different strength levels and put them directly in the actions list:
>
> Choose a password now
> Choose a password at next login
> Use this random password: zintelforb
> Use this random password: fas42Br0x
> Use this random password: y8Tx$mrA
> Allow login without a password
>
> I don't think "Disable this account" belongs in the password dialog,
> even though that's how it's implemented underneath.

Unless it is implemented via /usr/bin/nologin...but you have a point.

> > We've discussed ways to generate useful hints to go along with generated
> > passwords, including somewhat crazy ideas like computer*generated poetry
> > (cf gnoetry).
>
> Hm... how could that work though? Without knowing at least one "secret"
> about the user besides their password, how can you autogenerate a hint
> that will make sense to them (when they've forgotten their password),
> but not make just as much sense to anyone else?

It is a hint that helps you remember your password, not a
challenge/response pair to use instead of your password.
Anyway, I don't think generated hints are very high on the priority list
- it was just an idea that came up during discussion.

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 
Old 05-23-2008, 09:19 AM
Matej Cepl
 
Default A new user management tool

On 2008-05-22, 18:32 GMT, Steven Garrity wrote:
> Matthias Clasen wrote:
>> Comments are welcome. Please note the section on target audience and use
>> cases.
>
> Perhaps a note with the Short Name field on the "Create a new user"
> dialog explaining the basic limitations (no spaces, special chars, etc.)

Could we just call it "Login name"? This sounds really like a bad
macintoshism to me -- generating nonsensical name just for sake
of not sounding like a computerese -- even the Aunt Tillie these
days knows what login name is, and this duo "Name/Short Name" is
guaranteed to confuse everybody.

Matěj

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 
Old 05-23-2008, 10:23 AM
Nils Philippsen
 
Default A new user management tool

On Thu, 2008-05-22 at 13:59 -0400, Matthias Clasen wrote:
> We (Jon McCann and myself, with some input from others) have been
> working on a design for a new user management tool, with the goal of
> coming up with something better than the current trias of
> system-config-users, gnome-about-me and gdmsetup.
>
> The design is not finalized, you can see the current state of affairs
> here: http://people.redhat.com/mclasen/user-account3.pdf.bz2
> (I really wanted to put this on the wiki, but all I could only get proxy
> errors when trying to do so).
>
> Comments are welcome. Please note the section on target audience and use
> cases.

[...]

> The target usage scenarios are home and smb, not enterprise customers and big deployments,
> although we do need to make sure that the tools not totally break down when used in a big
> deployment scenario, since users should still be able to use it for changing their own account.
> But we do expect system administrators in enterprise settings to use a web interface to their
> directory server, not this tool.

That's a pretty daring assumption IMO. I don't think that there should
be one tool for both home/smb and enterprise (or home and
smb/enterprise, but I digress ;-), but I'm not sold to the idea that
enterprise admins will want to use web interfaces over native tools
anytime soon, assuming that native interfaces will always outperform web
interfaces for the same job (more performance with a given level of
convenience, or more convenience with given level of performance). And,
just as a datapoint, there are people using s-c-users against an LDAP
directory ;-). I'd like to think that a backend handling the
conventional passwd type of stuff should be able to cater for more than
one use case. This would make it fairly easy to implement several UIs on
top of it for the different use cases: graphical home/smb and
enterprise, text-mode and what have you -- and I'm pretty sure that
we'll (have to) end up with something like that anyway. Whether or not
that same backend would handle the non-Unix properties of users would
need some dicussion, I don't have a firm opinion on that one.

> Another use case is temporary access to a computer (guest account). The proposed workflow
> for this is to offer a "Guest" user on the login screen. Selecting this user will not ask for a
> password, the account will have limited privileges (Account type: Guest), and all data will be
> removed at the end of the session, unless the user chooses 'Convert to normal account' from the
> menu of the userÂ*switch applet. Todo: this is not reflected in the screenshots below.

I trust that the ability to convert a guest account to a normal one
would be protected by an appropriate amount of PolicyKit ;-)?

> The Name field is first, since we expect the full name to be entered first. The tool then
> generates a Unix username from the full name and prefills the Short Name field. There was
> some idea to define a set of rules for this (e.g. Matthias Clasen→mclasen or Jon
> McCann→jonm) and update the currently used rule based on the corrections that are made to
> the pregenerated username. We do need to validate the Name and Short Name fields to ensure
> that there are no conflicts with existing users. While it is technically possible to have two users
> with the same Name, we at last want to ask 'Did you really mean to do this ?'.

Ignoring technical possibility (which is just a side effect of that the
full name has no bearing w.r.t. the Unix side of things), we shouldn't
allow this, to avoid confusion about which "John Doe" a user should log
into in the login greeter.

> Likewise, the home directory, the uid and gid, the shell, and other uninteresting pieces of
> legacy information will be automatically determined by the tool and/or the service. People who
> have a strong interest in these will probably be better served by useradd anyway.

... or a suitable different frontend ;-).

> Clicking on the face image brings up a dialog for selecting the user image which offers a set of
> predefined images, as well as an option to use a webcam (if available), a simple drawing tool
> (such as MeMaker) or pick an image from the filesystem. Fine point: when showing the
> predefined faces, we should indicate which ones are already 'taken'. This dialog has not been
> mocked up yet.
> When creating a new user, it initially gets a randomly picked image from the predefined
> images (excluding those that are already used for a different user)

I don't think that's a good idea, as there are too many ways to
unintentionally insult people by picking the wrong one, even colors can
have bad connotations in some cultures ("Your @*§$"!§%" tool picked {a
monkey, something green, ...} for my account, now I'll {have your guts,
not do any business with you again, ...}!").

> The Account Type field associates (still to be implemented) PolicyKit 'roles' with the account.
> The Password field shows information about the kind of password that is currently set. The
> password change dialog is a bit more complicated than the other change dialogs, and is
> discussed in a separate section below.
> The Email, Language and Location fields are here because they are frequently useful (e.g. the
> language is needed on the login screen to relieve gdm from storing this information in .dmrc).
> Also, they are part of the standard LDAP user schema. Todo: these dialogs should perhaps
> provide some hints as to how these fields are used. E.g. entering an email address here does
> not create an email account or set up the mail client to use it.

At least for some SMBs (those who don't trust Google/Yahoo/... with
their mails), a user mgmt tool should at some point (by way of a plugin
or else) do exactly that, e.g. log into the company's cyrus-imapd and
create a mailbox for the user. Maybe that's better suited for the
enterprisey kind of user mgmt tool, however.

> The Parental Controls field is just an idea that needs to be fleshed out.
> Beyond direct user management, we also want the new tool to take up some login screen
> configuration (which is, after all, more or less related to users and passwords).

Shouldn't that be somehow done in the login greeter so you directly see
your changes (suitably authenticated of course)?

> The service will certainly have the expected Create, Delete, Modify functions dealing with
> individual users. It is wellÂ*known that it is a bad idea to have a enumerateÂ*allÂ*users function,
> since the cost may be prohibitive and user interfaces that rely on such a function will simply
> not work in large deployments (cf fastÂ*userÂ*switchÂ*applet vs NIS).

Which makes "Show list of users" in the login settings kind of dead in
the water, unless that list of users is somehow limited, e.g. to people
who were logged into the system in a certain timeframe (e.g. since 4
weeks before the last successful login), and/or people who have been
created on that system, ...


> By the same token,
> exposing every user as a dbus object will not work very well in such situations. One idea
> (inspired by LDAP again) is to have a Query function that allows querying for users by certain
> criteria.

... which would return the list of user names and create the matching
dbus objects? Sounds sensible to me.

Nils
--
Nils Philippsen / Red Hat / nphilipp@redhat.com
"Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety." -- B. Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 
Old 05-23-2008, 10:41 AM
Nils Philippsen
 
Default A new user management tool

On Fri, 2008-05-23 at 11:19 +0200, Matej Cepl wrote:

> Could we just call it "Login name"? This sounds really like a bad
> macintoshism to me -- generating nonsensical name just for sake
> of not sounding like a computerese -- even the Aunt Tillie these
> days knows what login name is, and this duo "Name/Short Name" is
> guaranteed to confuse everybody.

I concur. The connotation "Login screen" <-> "Login name" should be
easier made than "Login screen" <-> "Short name". People are hardly
confused by seeing their real names in the login screen if there is a
list of users, but they need to make that connotation if they only see
"User Name: ______ Password: _____".

As a side note, I don't like the login screen a bit for going corporate
on me by using full names instead of given ones (or nicknames?). I
haven't seen a Mac or Windows user using a full name on his home
computer anyway ;-).

Nils
--
Nils Philippsen / Red Hat / nphilipp@redhat.com
"Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety." -- B. Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 
Old 05-23-2008, 10:46 AM
Nils Philippsen
 
Default A new user management tool

On Thu, 2008-05-22 at 16:52 -0400, Dan Winship wrote:

> I assume "Location" will tie in in some way with the improved
> Location/Time Zone stuff?

I'm interested in that part as well -- if we map locations to timezones
(which I guess isn't trivial), there should be one component doing it,
regardless of if that frontend is s-c-date or a
desktop-specific/user-centric tool.

Nils
--
Nils Philippsen / Red Hat / nphilipp@redhat.com
"Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety." -- B. Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 
Old 05-23-2008, 12:36 PM
Matthias Clasen
 
Default A new user management tool

On Fri, 2008-05-23 at 11:19 +0200, Matej Cepl wrote:
> On 2008-05-22, 18:32 GMT, Steven Garrity wrote:
> > Matthias Clasen wrote:
> >> Comments are welcome. Please note the section on target audience and use
> >> cases.
> >
> > Perhaps a note with the Short Name field on the "Create a new user"
> > dialog explaining the basic limitations (no spaces, special chars, etc.)
>
> Could we just call it "Login name"? This sounds really like a bad
> macintoshism to me -- generating nonsensical name just for sake
> of not sounding like a computerese -- even the Aunt Tillie these
> days knows what login name is, and this duo "Name/Short Name" is
> guaranteed to confuse everybody.
>
> Matěj

We're following the recommendations of gnome documentation team here:
http://mail.gnome.org/archives/gnome-doc-list/2008-April/msg00028.html


login (n., adj.)
The act of logging in to a computer, or something related to
logging in to a computer. Do not use "login" or "login name"
as a synonym for username. Do not use "logon".



--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 
Old 05-23-2008, 01:06 PM
Matthias Clasen
 
Default A new user management tool

On Fri, 2008-05-23 at 12:23 +0200, Nils Philippsen wrote:

>
> > The target usage scenarios are home and smb, not enterprise customers and big deployments,
> > although we do need to make sure that the tools not totally break down when used in a big
> > deployment scenario, since users should still be able to use it for changing their own account.
> > But we do expect system administrators in enterprise settings to use a web interface to their
> > directory server, not this tool.
>
> That's a pretty daring assumption IMO. I don't think that there should
> be one tool for both home/smb and enterprise (or home and
> smb/enterprise, but I digress ;-), but I'm not sold to the idea that
> enterprise admins will want to use web interfaces over native tools
> anytime soon, assuming that native interfaces will always outperform web
> interfaces for the same job (more performance with a given level of
> convenience, or more convenience with given level of performance). And,
> just as a datapoint, there are people using s-c-users against an LDAP
> directory ;-). I'd like to think that a backend handling the
> conventional passwd type of stuff should be able to cater for more than
> one use case. This would make it fairly easy to implement several UIs on
> top of it for the different use cases: graphical home/smb and
> enterprise, text-mode and what have you -- and I'm pretty sure that
> we'll (have to) end up with something like that anyway. Whether or not
> that same backend would handle the non-Unix properties of users would
> need some dicussion, I don't have a firm opinion on that one.

The backend needs to be flexible enough to support more
enterprise-oriented frontends, sure. Perhaps that hasn't been stated
clearly enough. Wrt to storage, I think we are pretty much within the
standard LDAP user schema.

> I trust that the ability to convert a guest account to a normal one
> would be protected by an appropriate amount of PolicyKit ;-)?

Of course.

> > Clicking on the face image brings up a dialog for selecting the user image which offers a set of
> > predefined images, as well as an option to use a webcam (if available), a simple drawing tool
> > (such as MeMaker) or pick an image from the filesystem. Fine point: when showing the
> > predefined faces, we should indicate which ones are already 'taken'. This dialog has not been
> > mocked up yet.
> > When creating a new user, it initially gets a randomly picked image from the predefined
> > images (excluding those that are already used for a different user)
>
> I don't think that's a good idea, as there are too many ways to
> unintentionally insult people by picking the wrong one, even colors can
> have bad connotations in some cultures ("Your @*§$"!§%" tool picked {a
> monkey, something green, ...} for my account, now I'll {have your guts,
> not do any business with you again, ...}!").

Or maybe we just make the business customers use the other frontend...

> At least for some SMBs (those who don't trust Google/Yahoo/... with
> their mails), a user mgmt tool should at some point (by way of a plugin
> or else) do exactly that, e.g. log into the company's cyrus-imapd and
> create a mailbox for the user. Maybe that's better suited for the
> enterprisey kind of user mgmt tool, however.

In fact, an earlier draft of the design had the idea of plugins for this
kind of setup tasks. Maybe we'll have to revisit it.
For the client-side email setup, I guess you could get 90% of the way
there sabayon - just give the user a sabayon profile that has all the
mail configuration set up except for the email address, that evolution
can then pick up from the user service...

> > Beyond direct user management, we also want the new tool to take up some login screen
> > configuration (which is, after all, more or less related to users and passwords).
>
> Shouldn't that be somehow done in the login greeter so you directly see
> your changes (suitably authenticated of course)?

The old gdm had something like that, and it was not very nice. Maybe it
was just not very well done, with the configuration options being
directly visible in a toolbar on the greeter, and all gtk themes in a
long menu...

> > The service will certainly have the expected Create, Delete, Modify functions dealing with
> > individual users. It is well*known that it is a bad idea to have a enumerate*all*users function,
> > since the cost may be prohibitive and user interfaces that rely on such a function will simply
> > not work in large deployments (cf fast*user*switch*applet vs NIS).
>
> Which makes "Show list of users" in the login settings kind of dead in
> the water, unless that list of users is somehow limited, e.g. to people
> who were logged into the system in a certain timeframe (e.g. since 4
> weeks before the last successful login), and/or people who have been
> created on that system, ...

...which is pretty much exactly what the user list in the greeter
already does.


--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 
Old 05-23-2008, 02:25 PM
Nils Philippsen
 
Default A new user management tool

On Fri, 2008-05-23 at 09:06 -0400, Matthias Clasen wrote:

> The backend needs to be flexible enough to support more
> enterprise-oriented frontends, sure. Perhaps that hasn't been stated
> clearly enough. Wrt to storage, I think we are pretty much within the
> standard LDAP user schema.

Do you access LDAP directly or do you use libuser -- for s-c-users,
libuser abstracted local user accounts from LDAP ones enough so that it
could handle local as well as directory accounts without (any= much?
haven't checked lately) distinction in the tool.

> > > Clicking on the face image brings up a dialog for selecting the user image which offers a set of
> > > predefined images, as well as an option to use a webcam (if available), a simple drawing tool
> > > (such as MeMaker) or pick an image from the filesystem. Fine point: when showing the
> > > predefined faces, we should indicate which ones are already 'taken'. This dialog has not been
> > > mocked up yet.
> > > When creating a new user, it initially gets a randomly picked image from the predefined
> > > images (excluding those that are already used for a different user)
> >
> > I don't think that's a good idea, as there are too many ways to
> > unintentionally insult people by picking the wrong one, even colors can
> > have bad connotations in some cultures ("Your @*§$"!§%" tool picked {a
> > monkey, something green, ...} for my account, now I'll {have your guts,
> > not do any business with you again, ...}!").
>
> Or maybe we just make the business customers use the other frontend...

I think that point's valid enough for home users. Even if we ignore
home/SMB use as a potential business market, we surely don't want to
hurt users' feelings. I don't like having to jump through hoops to
achieve that as much as anybody else, but I'd rather not pull a
"Pajero"[1] if it can be avoided -- I recently read an article in the
newspaper about clashes of cultures and it's amazing how things that are
innocuous in one culture are offensive in another.

[1]: http://en.wikipedia.org/wiki/Mitsubishi_Pajero

> > Which makes "Show list of users" in the login settings kind of dead in
> > the water, unless that list of users is somehow limited, e.g. to people
> > who were logged into the system in a certain timeframe (e.g. since 4
> > weeks before the last successful login), and/or people who have been
> > created on that system, ...
>
> ...which is pretty much exactly what the user list in the greeter
> already does.

That's nice. On account of not using LDAP/NIS/Kerberos on any of my
systems (which have a gdm login screen), I wasn't aware of that it makes
such a distinction. The last thing in that context I heard about was
fast-user-switch-applet excessively burning CPU cycles to enumerate all
NIS users (multiplied by a number of these applets running concurrently
on a VNC/NX terminal server ;-), so I wanted to cover that bit.

Nils
--
Nils Philippsen / Red Hat / nphilipp@redhat.com
"Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety." -- B. Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 
Old 05-23-2008, 03:24 PM
Matej Cepl
 
Default A new user management tool

On Fri, 23 May 2008 08:36:20 -0400, Matthias Clasen scripst:
> We're following the recommendations of gnome documentation team here:
> http://mail.gnome.org/archives/gnome-doc-list/2008-April/msg00028.html
>
> login (n., adj.)
> The act of logging in to a computer, or something related to logging in
> to a computer. Do not use "login" or "login name" as a synonym for
> username. Do not use "logon".

OK, I used to be a lawyer, so I am used to distinguishing between
authorities which I need to strongly adhere and to somebody who just made
to much crack and nothing to do. I am afraid this falls squarely into the
latter camp. Cannot we somehow object to this nonsense? Can I do something
about it (so that we are not wasting your time)?

Matej

--
The content of this message is licensed under a Creative Commons
Attribution 3.0 License, Some Rights Reserved.
http://creativecommons.org/licenses/by/3.0/us/

--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list
 

Thread Tools




All times are GMT. The time now is 07:44 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org