www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: Centralised authentication/authorisation
Date Thu, 27 Nov 2008 10:47:38 GMT
On 27/11/2008, Tony Stevenson <pctony@apache.org> wrote:
> Upayavira wrote:
>  > On Thu, 2008-11-20 at 17:54 +0000, Tony Stevenson wrote:
>
>
> [SNIP ...]
>
>
>  >
>  > The biggest issue that I do not yet see resolved is that of username
>  > namespaces.
>  >
>  > Currently, we have a 'committer' namespace, names are allocated, by
>  > root, based upon requests from the new committer, when their Apache
>  > account is created.
>  >
>  > If we go to an LDAP setup that covers non-committers too, then we have
>  > to expand our namespace handing to cover names that non-committers might
>  > choose.
>
>
> Agreed, this is something I was looking at.  I was hoping to find a way
>  for non committers usernames to have -pub tagged on the end.
>  potentially looking at a sign up page, that would create accounts in
>  LDAP with this tagged on the end.  Maybe even a self service page, that
>  used email verification.

Much the same as per my recent e-mail.

>  So any accounts that are created by root@ as part of the committer
>  process would be manually created, and obviously not have the -pub, thus
>  preventing namespace squatting.
>

Using e-mail verification should prevent any such squatting.

>
>  >
>  > And, we need to work out a way to handle the transition from
>  > non-committer to committer, in the (likely) case that that involves a
>  > change in username.
>
>
> If we use something similar to that above, and if they become a
>  committer and their requested name is not in use then thry can have it,
>  much like they can now.  If it isn't free then they need to choose
>  again.  :-)
>
>  Simple, really...
>
>
>
>  >
>  > Otherwise, we could get folks snapping up all the best names in the
>  > @apache.org namespace in the hope that they may one day become a
>  > committer, rather than having a name selected for them at the point at
>  > which their account is created.
>
>
> Cheeky buggers. Who'd of thought people would be so cheeky :-)
>
>
>  >
>  > In comparison to this, setting up LDAP itself seems easy :-)
>
>
> Here's hoping.
>
>  Let me re-iterate, the next thing we all need to agree upon is the LDAP
>  schema, nothing will progress without this.  I will try to expand the
>  current schema I added to SVN, and lets see if it sparks a flurry of
>  conversation.
>

But surely the schema depends at least partly on how it is to be used?

Or is the idea to produce an initial schema, and see if that supports
the various use cases, and then update the schema as required?

>
>  Cheers,
>  Tony
>
>
>
>  --
>
>
>  -----------------------------------------
>  Tony Stevenson
>  tony@pc-tony.com  //  pctony@apache.org
>  http://www.pc-tony.com/
>
>  1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66
>  -----------------------------------------
>

Mime
View raw message