Return-Path: 
 <infrastructure-dev-return-688-apmail-infrastructure-dev-archive=apache.org@apache.org>
Delivered-To: apmail-infrastructure-dev-archive@locus.apache.org
Received: (qmail 49337 invoked from network); 27 Nov 2008 11:24:04 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 27 Nov 2008 11:24:04 -0000
Received: (qmail 59678 invoked by uid 500); 27 Nov 2008 11:24:07 -0000
Delivered-To: apmail-infrastructure-dev-archive@apache.org
Received: (qmail 59470 invoked by uid 500); 27 Nov 2008 11:24:06 -0000
Mailing-List: contact infrastructure-dev-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:infrastructure-dev-help@apache.org>
List-Unsubscribe: <mailto:infrastructure-dev-unsubscribe@apache.org>
List-Post: <mailto:infrastructure-dev@apache.org>
List-Id: <infrastructure-dev.apache.org>
Reply-To: infrastructure-dev@apache.org
Delivered-To: mailing list infrastructure-dev@apache.org
Received: (qmail 59261 invoked by uid 99); 27 Nov 2008 11:24:05 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Nov 2008 03:24:05 -0800
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [212.23.3.141] (HELO smarthost02.mail.zen.net.uk)
 (212.23.3.141)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Nov 2008 11:22:36 +0000
Received: from [88.96.10.61] (helo=[172.17.6.27])
	by smarthost02.mail.zen.net.uk with esmtpsa
 (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.63)
	(envelope-from <pctony@apache.org>)
	id 1L5exu-0005ZL-5X
	for infrastructure-dev@apache.org; Thu, 27 Nov 2008 11:23:22 +0000
Message-ID: <492E8329.7000705@apache.org>
Date: Thu, 27 Nov 2008 11:23:21 +0000
From: Tony Stevenson <pctony@apache.org>
User-Agent: Thunderbird 2.0.0.18 (Windows/20081105)
MIME-Version: 1.0
To: infrastructure-dev@apache.org
Subject: Re: Centralised authentication/authorisation
References: <55ef8e0d508559e7567041e44f6c61d5.squirrel@mail.pc-tony.com>
	 <1227779504.22393.80.camel@urgyen> <492E74E7.6090001@apache.org>
 <25aac9fc0811270247l6648566bydb30f7ee74f8f536@mail.gmail.com>
In-Reply-To: <25aac9fc0811270247l6648566bydb30f7ee74f8f536@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Originating-Smarthost02-IP: [88.96.10.61]
X-Virus-Checked: Checked by ClamAV on apache.org

sebb wrote:
> On 27/11/2008, Tony Stevenson <pctony@apache.org> wrote:
>> Upayavira wrote:
>>  > On Thu, 2008-11-20 at 17:54 +0000, Tony Stevenson wrote:
>>
>>
>> [SNIP ...]
>>
>>
>>  >
>>  > The biggest issue that I do not yet see resolved is that of username
>>  > namespaces.
>>  >
>>  > Currently, we have a 'committer' namespace, names are allocated, by
>>  > root, based upon requests from the new committer, when their Apache
>>  > account is created.
>>  >
>>  > If we go to an LDAP setup that covers non-committers too, then we have
>>  > to expand our namespace handing to cover names that non-committers might
>>  > choose.
>>
>>
>> Agreed, this is something I was looking at.  I was hoping to find a way
>>  for non committers usernames to have -pub tagged on the end.
>>  potentially looking at a sign up page, that would create accounts in
>>  LDAP with this tagged on the end.  Maybe even a self service page, that
>>  used email verification.
> 
> Much the same as per my recent e-mail.
> 
>>  So any accounts that are created by root@ as part of the committer
>>  process would be manually created, and obviously not have the -pub, thus
>>  preventing namespace squatting.
>>
> 
> Using e-mail verification should prevent any such squatting.
> 
>>  >
>>  > And, we need to work out a way to handle the transition from
>>  > non-committer to committer, in the (likely) case that that involves a
>>  > change in username.
>>
>>
>> If we use something similar to that above, and if they become a
>>  committer and their requested name is not in use then thry can have it,
>>  much like they can now.  If it isn't free then they need to choose
>>  again.  :-)
>>
>>  Simple, really...
>>
>>
>>
>>  >
>>  > Otherwise, we could get folks snapping up all the best names in the
>>  > @apache.org namespace in the hope that they may one day become a
>>  > committer, rather than having a name selected for them at the point at
>>  > which their account is created.
>>
>>
>> Cheeky buggers. Who'd of thought people would be so cheeky :-)
>>
>>
>>  >
>>  > In comparison to this, setting up LDAP itself seems easy :-)
>>
>>
>> Here's hoping.
>>
>>  Let me re-iterate, the next thing we all need to agree upon is the LDAP
>>  schema, nothing will progress without this.  I will try to expand the
>>  current schema I added to SVN, and lets see if it sparks a flurry of
>>  conversation.
>>
> 
> But surely the schema depends at least partly on how it is to be used?
> 
> Or is the idea to produce an initial schema, and see if that supports
> the various use cases, and then update the schema as required?

That's spot on. For now. The initial schema is the first milestone I
have set us before we proceed any further, this seems to be the
consensus amongst others too.

If we have a base schema, we can quite happily change that to suit, up
until we have a final, and agreed, schema that will support everything
we want it too.

Using an email address as an identifier, is quite simple. Let's see how
that that pans out.

I have an email from Emmanuel Lecharny in my inbox which I need to
digest and incorporate into the proposal.  I am hoping that I will find
time to do this on Sunday.


-- 


-----------------------------------------
Tony Stevenson
tony@pc-tony.com  //  pctony@apache.org
http://www.pc-tony.com/

1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66
-----------------------------------------