www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <pct...@apache.org>
Subject Re: Centralised authentication/authorisation
Date Thu, 27 Nov 2008 11:23:21 GMT
sebb wrote:
> On 27/11/2008, Tony Stevenson <pctony@apache.org> wrote:
>> Upayavira wrote:
>>  > On Thu, 2008-11-20 at 17:54 +0000, Tony Stevenson wrote:
>>
>>
>> [SNIP ...]
>>
>>
>>  >
>>  > The biggest issue that I do not yet see resolved is that of username
>>  > namespaces.
>>  >
>>  > Currently, we have a 'committer' namespace, names are allocated, by
>>  > root, based upon requests from the new committer, when their Apache
>>  > account is created.
>>  >
>>  > If we go to an LDAP setup that covers non-committers too, then we have
>>  > to expand our namespace handing to cover names that non-committers might
>>  > choose.
>>
>>
>> Agreed, this is something I was looking at.  I was hoping to find a way
>>  for non committers usernames to have -pub tagged on the end.
>>  potentially looking at a sign up page, that would create accounts in
>>  LDAP with this tagged on the end.  Maybe even a self service page, that
>>  used email verification.
> 
> Much the same as per my recent e-mail.
> 
>>  So any accounts that are created by root@ as part of the committer
>>  process would be manually created, and obviously not have the -pub, thus
>>  preventing namespace squatting.
>>
> 
> Using e-mail verification should prevent any such squatting.
> 
>>  >
>>  > And, we need to work out a way to handle the transition from
>>  > non-committer to committer, in the (likely) case that that involves a
>>  > change in username.
>>
>>
>> If we use something similar to that above, and if they become a
>>  committer and their requested name is not in use then thry can have it,
>>  much like they can now.  If it isn't free then they need to choose
>>  again.  :-)
>>
>>  Simple, really...
>>
>>
>>
>>  >
>>  > Otherwise, we could get folks snapping up all the best names in the
>>  > @apache.org namespace in the hope that they may one day become a
>>  > committer, rather than having a name selected for them at the point at
>>  > which their account is created.
>>
>>
>> Cheeky buggers. Who'd of thought people would be so cheeky :-)
>>
>>
>>  >
>>  > In comparison to this, setting up LDAP itself seems easy :-)
>>
>>
>> Here's hoping.
>>
>>  Let me re-iterate, the next thing we all need to agree upon is the LDAP
>>  schema, nothing will progress without this.  I will try to expand the
>>  current schema I added to SVN, and lets see if it sparks a flurry of
>>  conversation.
>>
> 
> But surely the schema depends at least partly on how it is to be used?
> 
> Or is the idea to produce an initial schema, and see if that supports
> the various use cases, and then update the schema as required?

That's spot on. For now. The initial schema is the first milestone I
have set us before we proceed any further, this seems to be the
consensus amongst others too.

If we have a base schema, we can quite happily change that to suit, up
until we have a final, and agreed, schema that will support everything
we want it too.

Using an email address as an identifier, is quite simple. Let's see how
that that pans out.

I have an email from Emmanuel Lecharny in my inbox which I need to
digest and incorporate into the proposal.  I am hoping that I will find
time to do this on Sunday.


-- 


-----------------------------------------
Tony Stevenson
tony@pc-tony.com  //  pctony@apache.org
http://www.pc-tony.com/

1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66
-----------------------------------------

Mime
View raw message