Tag Archives: OpenID

Drupal 101: More on Modules

This post originally appeared on the Idealware Blog in October of 2009.
Last week, I kicked off this series on setting up a basic web site with Drupal, the popular open source Content Management System. This week we’re going to take a closer look at Modules, the Drupal add-ons that can extend your web site’s functionality. One of the great things about Drupal is that it is a popular application with a large developer community working with and around it. So there are about a thousand modules that you can use to extend Drupal, covering everything from document management to payment processing. The good news: there’s probably one that supports the functionality that you want to add to your web site. Bad news: needle in a haystack?

A potentially easier way to add extra functionality to Drupal is to download a customized version, such as CiviCRM or Open Atrium. We’ll discuss those options later in the Drupal 101 series.

Core Modules

Drupal comes with a number of built-in modules that you can optionally enable. Some are obviously useful, others not so much. Here are some notes on the ones that you might not initially know that you need:

Primary content types like blog, forum and book offer different modules for user input. They can be combined, or you can pick one for a simple site. Since the differences between, say , a blog (individual journal that people can comment on) and a forum (topical posts that people can reply to) are less distinct than they are in other CMS’s, you might want to pick one or two primary content types and then supplement them with more distinctive ones, such as polls or profiles.Enabling contact allows your users to send private messages to each other on the site, as well as allowing you to set up site-wide contact forms.OpenID allows your users more flexibility and control as to how they log into your site. I can’t see a good reason not to enable this on a public site. Since more and more people have profiles on social networking sites and Google, tools like Facebook Connect or Google Friend Connect should be considered as well.

By default, Drupal asks new users for a name and email, but not much else. With the Profiles module, you can create custom fields and allow your users to share information much as they would on a social network.

Taxonomy is also recommended, and I’ll talk more about that next week.

Throttle should be used on any high-traffic site to improve performance.

Use Trigger if you want to set up alerting and automation on your site.

Add-on modules, must haves:

CCK (Content Construction Kit) More than some CMS’s, Drupal is a content-centric system. It doesn’t simply manage content, but the web interface is structured around the content it manages: content types, content metadata (taxonomies), content sources (RSS feeds). Out of the virtual box, Drupal has content types like blog entries, pages and stories. Each content type has a data entry form associated with it. So, if you create a number of stories, and you want to read them all, then you can browse to the page “story” and they’ll all be listed there. CCK helps you create additional content types and use a fairly robust form-builder to customize the screens.Views

The Views module lets you customize the appearance and functionality of many of Drupal’s standard screens, and to add your own. Unlike CCK, which is limited to the default layout of content types, Views lets you seriously customize the interface. One easy reason to install Views is in order to take advantage of the Calendar view, which gives you not only a full page, graphical calendar to add events to and display, but also sidebar calendar widgets and upcoming event lists.

Here’s a tip: setting up the calendar view is reasonably tedious. The best write-up explaining it (for Drupal 6) is here: http://drupal.org/node/326061. Drupal’s documentation is okay, but this is step-by-step. It does miss one step, though, which is to add the “Event Date – From date” and “Event Date – To date” to the Fields listing (with friendlier titles, like “From” and “To”). Otherwise, calendar items show on the day they were submitted instead of the day that they are occurring.


There’s a good case to be made that these two modules should be folded into Drupal’s base package, because, in addition to providing very powerful customization features to the core product, there are a whole slew of additional modules that require their presence. If you plan to install a number of modules and/or customize your site, these are pretty much pre-requisites, so just grab and install them.


WYSIWYG EditorsWhat-You-See-Is-What-You Get, or Rich Text Format (RTE) editors transform Drupal’s default data input boxes into flexible editors with Word-like toolbars. The WSYIWYG module lets you install the editor of your choice. I’ve done well with FCKEditor (recently rebranded CKEditor, thank you!). The WYSIWYG module lets you work with multiple RTE packages and strategically assign them to different fields and content types. Most RTE editors are very configurable, but note that, in addition to installing the modules, you need to install the editors themselves, so follow the instructions carefully.Organic Groups

If you’re building a community site, with hopes of having lots of interactive, social features, Organic Groups gives you the flexibility to not only create all sorts of groups and affiliations on your own, but let your users create their own groups as well, much like Facebook does. For an interactive site, this is essential.


Many modules are available for either integrating with Authorize.net or Paypal, or setting up your own e-commerce site. The aptly named e-Commerce module and Ubercart are among the better known and supported options.

Drupal fans: what modules do you recommend? Which do you install first? Leave your recommendations in the comments.

Next week, we’ll talk about menus, blocks and taxonomies: Drupal 101: Navigation.

OpenID Enabled

Just to put this all together, I’ve written a F.A.Q. and a How-To on OpenID and added them to the OpenID offerings here at Techcafeteria which are, in a nutshell:

  1. The OpenID-enabled Blog;
  2. The OpenID server, which I’m committed to maintaining. Techcafeteria won’t be going away anytime soon!;
  3. A new OpenID F.A.Q., which links to other OpenID resources;
  4. and a new OpenID illustrated How-to, which uses the Techcafeteria server as an example but overviews how they all work.

Why am I harping on about this? I really do think that OpenID offers a solution to a very pesky problem. I have an encrypted file with all of the logins and passwords that I keep on a regular basis for web sites and services that I use. There are over 200 of them. I might be an extreme case, but I’m far from alone. And, from my years as a technology manager, I know that most people solve this problem by using the same password at multiple sites. So if those sites include your online banking, that’s a serious risk.

But, beyond the convenience and security, I look at it this way. My goal for Techcafeteria is to grow it into a real diverse offering of web-based services, in fitting with the name. Some of these, like the blog, will be based on third-party platforms, others will be things that I develop (I’m experienced with PHP/MySQL and I’m learning Ruby on Rails – I’m even attending O’Reilly’s big conference on it in Portland this week). My goal is single sign-on, via OpenId, for everything that Techcafeteria ever offers.

It’s not a big deal doing this on my web site. It would have been a huge deal if I could have accomplished it at the large non-profit or decent sized law fIrm that I served as an IT Director for. At both of those jobs, we had a variety of systems, all tied into Novell and/or MS networks, but we still had nothing but password soup to offer our users, because the apps weren’t standardized enough to allow for true single sign-on.

At Joomla Day on Saturday, I sat in on a session where one of the core developers (Sam) demonstrated a way to share authentication between Joomla and MediaWiki. Very cool, but somewhat easy because MediaWiki stores the password unencrypted. Assuming that most sites use standardized encryption protocols (MD5 being the big dog, that’s not an insurmountable challenge. But I couldn’t help thinking how much easier this will be via OpenID. It’s not just about this stuff being possible – it’s also about allowing Sysadmins who are not also programmers to implement it.

So, end of OpenID rants, for now. I’ll be doing some live blogging from the Rails conference, and I’ll try and include some context as to why I think Ruby on Rails is an important programming environment.

Update on OpenID server

A quick addendum to my last entry:

First, my apologies if you’re trying to play. For some reason, the DNS change that will allow you to access openid.techcafeteria.com is taking a looonng time to propagate. I’ve asked my ISP about this. And it makes no sense to give you the ip or an alternate name – you need the actual name to get this working.

Don’t trust me to maintain techcafeteria.com 24/7 for as long as you may live? Good thinking! I’m hosting this on my home box, because I can’t hack PHP sufficiently in order to get it going on my ISPs system. So this is what’s cool about OpenID. It’s relatively easy to become an OpenID provider, if you have your own server. I think it took me two hours or so to get it all set up. So there will be plenty of providers out there. And OpenID gives you an option for setting up a permanent address on any server where you can create a simple page (regardless of whether it’s your system or if it has anything related to OpenID installed) and then referring it to your OpenID provider. So, if I take my system down (I do that about twice a year), you can register somewhere else and simply point your URL to their system. It’s very flexible, and you’ll have the instructions in front of you after you create your ID on my server.

In addition to OpenID.net here are two important resources:

OpenID Enabled is a wiki devoted to OpenID. Very thorough!

The OpenID Directory is an early stab at collecting all of the sites that allow you to log in via OpenID. It’s also an OpenID provider, if you’re looking for that backup.

Wanna play with OpenID?

Yesterday, Sun announced a rollout of OpenID for all of the company’s employees, and joined Microsoft, Yahoo!, AOL and others in embracing the emerging Single Sign-on standard.

In order to deepen my understanding of OpenID and what it’s ramifications might be for me and the non-profit community, I’m diving in and inviting you to join me. I’ve set up an OpenID server at http://openid.techcafeteria.com that you are welcome to use to establish your own ID. From there, you can also manage your identity, optionally revealing some demographic info to sites that you authenticate to (completely optional!) and managing the sites that you have authenticated to.

I’ve also set up my blog to allow for OpenID as a registration option, via a handy WordPress plugin.

Some notes if you want to join in:

  • If you sign up, you might want to then register on my blog and leave a comment on this entry. That way we’ll know who we’re playing with.
  • If you have trouble accessing http://openid.techcafeteria.com, wait a few hours – it should be fully reachable by Friday at the very latest. I just set up the DNS a few hours ago

If you don’t know where to use OpenID other than my blog, note that plugins are available for WordPress, livejournal, Drupal, MediaWiki, and other community-based applications, as well as a module for apache. Technet has articles on how to integrate it with ASP sites. So, it’s out there – look for the logo:

OpenId Logo

New Home, OpenID Redux

Okay, I finished the big job of migrating my blog from it’s old home to my new digs, and I think I have the bugs out, with thanks to the two blogs that linked to my OpenID article, and the two people who let me know that the email was broken (making it impossible for people to register). We’re off to a good start!

I offered some preliminary thoughts and asked a question about OpenID, proposing that, while this is a boon for users, it might have a negative impact on an organization’s ability to coax contact information out of web visitors, as providing personal info will no longer be a requirement for authenticating to a web site.

Johannes Ernst, a man who designs identity management software for a living, responded on his blog with a few counterpoints (which I’ll brutally summarize):

  1. People often present false information in contact forms anyway;
  2. “Because users can provide their OpenID that they also have provided to other sites, the site can actually learn more about the user — which other websites they frequent, for example.” Johanne qualifies this one with the rider that people won’t necessarily use their OpenID to share such data.
  3. With control of their identity, the visitor might feel more confident about sharing information.
  4. With single sign-on, and easier access to the authentication-required content, visitors might be more compelled to join and share.

Simon Willison, a co-creator of the Django Web framework, anticipated my question and replied on January 10th. Simon makes the clear point that OpenID will only replace the “enter your name and type a password twice” portion of an online registration. It won’t fully replace requests for further data and confirmation, such as the graphical Captchas that we’re all getting so used to. In fact, he proposes, the fact that a user has an open ID doesn’t mean that they aren’t a spammer — we shouldn’t accept it as full authentication, just a convenience for the password tracking part.

Simon has me fairly well sold that this isn’t as big a threat as I thought. But I still have a lot of questions about the idea, and I’m curious as to how it will play out once the standard is established (assuming it will be – I suspect so). if the authentication is as weak for the web service as Simon suggests, will an industry like SSL arise, adding verification to OpenID authentication? And I’m still intrigued as to what conventions will grow out of everyone having a personal web address, which, of course, will lead to some sort of web page.
Johannes made a comment that really intrigued me on his post, when he said:

” Personally, if I have a choice between knowing a URL pointing to your blog, and having the information you typed into a web form that I put up, I take the blog any time. (That might even be true if the form’s data was all correct!) That is not data that your typical CRM system knows how to manage, but as we all know in the blogosphere, extremely valuable to gain some view on the user’s social network and reputation and interests.”

Johannes has a pretty interesting idea for a marketing app there. While he suggests that the data is free-form, I’d counter that – most blogs follow very standard conventions, and many bloggers (hey, me included!) use the standard text that comes with our blogging platform to denote them. So just as HR staff no longer “read” resumes, how far can blog scanning be behind?

What does OpenID mean to Non-Profits?

Earlier this month, in the Q&A following my Managing Technology 2.0 presentation at the NTC, I was asked how OpenID would impact organizational data management issues. I was somewhat familiar with OpenID, in it that I knew that it was a proposed standard for single sign-on and identity management on the net, but I hadn’t paid a lot of attention and I think my answer, that it would make verifying user data easier for non-profits, might have been way off target. So, to clear it up, I did some research.

The “I’m feeling lucky” response from a Google search for “Open ID” is the very informative home of the project, OpenID.net. This site does a great job – it is largely an extremely geek-speak affair, but it starts off in very plain english. The proposed standard is that every person, just like every web site, can have a URL of their own that is their open ID. Along with the ID, they will have an identity provider that serves as the home for that ID, and provides the authentication service. With the standard in place, it would work like this:

  1. You connect to a service (“consumer“) that supports Open ID.
  2. You input your URL in the Open ID login field.
  3. The consumer redirects you to your identity provider (the target of your url),a nd they prompt you for your password.
  4. The identify provider then sends back a “yea” or “nay” based on whether you successfully authenticated (this works very much like a credit card authorization).

A few nice details about the specification:

  • You can be your own identity provider if you have the resources.
  • The specification calls for a strictly browser-based interaction, no javascript or additional software required.
  • Open ID login fields will have a graphical identifier: OpenID Logo

The two clear advantages of OpenID, from a net user perspective, are:

  1. Single sign-on. No more long lists of passwords for myriad web sites or, worse, as we know many of our loved ones do, single passwords being used at dozens of sites.
  2. Privacy – no need to provide passwords or email addresses to services in order to authenticate.

Microsoft’s Passport service was the biggest stab at identity management on the net to date, but it suffered from the initial premise that you should trust a convicted monopolist to manage your identity, and then from some serious security flaws.

So what does this mean for non-profits? Well, unless I’m missing something, it’s possibly a threat, and it will probably put orgs in a bit of a catch 22. Like most companies, you want to capture contact data from your web visitors. It’s key to your CRM strategies. Supporting Open ID removes the most compelling reason for them to give you that info – access to your interactive web services that require authentication. You’re going to have to beef up the begs and rewards for sharing more data if you support it. But, if you don’t support it, and it becomes a widely-spread standard, you’re going to look unethical.

I do think that additional trends and standards will grow around the personal URLs. I can’t see why they wouldn’t grow into Plaxo-like contact pages, to a small degree. But I doubt people are going to standardly publish addresses, phone numbers, etc, for the same reasons why you would hesitate do that on MySpace or Yahoo!. OpenID will not be a contact verification standard – it’s an authentication standard. Like a lot of things that threaten our marketing efforts, we’ll probably all really appreciate it, at least when we’re not in the office.