www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <pct...@apache.org>
Subject Re: Centralised authentication/authorisation
Date Thu, 27 Nov 2008 10:22:31 GMT
Upayavira wrote:
> On Thu, 2008-11-20 at 17:54 +0000, Tony Stevenson wrote:

[SNIP ...]

> 
> The biggest issue that I do not yet see resolved is that of username
> namespaces. 
> 
> Currently, we have a 'committer' namespace, names are allocated, by
> root, based upon requests from the new committer, when their Apache
> account is created.
> 
> If we go to an LDAP setup that covers non-committers too, then we have
> to expand our namespace handing to cover names that non-committers might
> choose.

Agreed, this is something I was looking at.  I was hoping to find a way
for non committers usernames to have -pub tagged on the end.
potentially looking at a sign up page, that would create accounts in
LDAP with this tagged on the end.  Maybe even a self service page, that
used email verification.

So any accounts that are created by root@ as part of the committer
process would be manually created, and obviously not have the -pub, thus
preventing namespace squatting.


> 
> And, we need to work out a way to handle the transition from
> non-committer to committer, in the (likely) case that that involves a
> change in username.

If we use something similar to that above, and if they become a
committer and their requested name is not in use then thry can have it,
much like they can now.  If it isn't free then they need to choose
again.  :-)

Simple, really...


> 
> Otherwise, we could get folks snapping up all the best names in the
> @apache.org namespace in the hope that they may one day become a
> committer, rather than having a name selected for them at the point at
> which their account is created.

Cheeky buggers. Who'd of thought people would be so cheeky :-)

> 
> In comparison to this, setting up LDAP itself seems easy :-)

Here's hoping.

Let me re-iterate, the next thing we all need to agree upon is the LDAP
schema, nothing will progress without this.  I will try to expand the
current schema I added to SVN, and lets see if it sparks a flurry of
conversation.


Cheers,
Tony



-- 


-----------------------------------------
Tony Stevenson
tony@pc-tony.com  //  pctony@apache.org
http://www.pc-tony.com/

1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66
-----------------------------------------

Mime
View raw message