www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: LDAP : first step
Date Mon, 22 Dec 2008 14:57:12 GMT
On 22/12/2008, Tony Stevenson <pctony@apache.org> wrote:
>
>  [SNIP...]
>
> >
> > Huh?
> >
> > If an account gets created in bugzilla, it is probably at
> >
> > dn:
> cn=my-email@my-domain.com,ou=accounts,dc=apache,dc=org
> > objectClass: posixUser
> > objectClass: bugzillaUser
> > email: my-email@my-domain.com
> >
> >
>
>  That is about right, yes.
>
>
> > How should that "squat" anything? Or did I get you wrong? You don't want
> > to split the user supplied information up in any way. Treat it as an
> > opaque identifier just as an email address.
> >
>
>  The DN for committers will be their availid, not their email address. Like
> so:  cn=pctony,ou=people,dc=apache,dc=org
>
>  So we dont want any old user to come along and when they create an account,
> if the name is free, it allows them to squat, or rather reserve that name
> for themselves.  Using their email address as the DN not only prevents this,
> but means that all users will be required to provide an email address.
>

Except existing committers?

Seems to me that it would be better to use a non-ASF e-mail address as the DN.

Why change the DN when someone becomes a committer?
It's useful to have an external e-mail address - e.g. for forwarding,
and the e-mail address can be used to match with the one provided in
the ICLA - otherwise how do we know that fred@isp1.com is the same as
freddie@isp2.org?

If the DN changes, then as far as I can tell we either lose the
original e-mail address, or we have to copy it somewhere else.

> >
> > ou=accounts, dc=apache, dc=org might contain hundreds of thousands of
> > objects with only a few being actual apache committers or members, but
> > that is exactly the thing that LDAP is good at. A member simply gets an
> > additional objectClass and you filter on this.
> >
> >
>
>  No.  By the fact we will use availid for committers (or anyone who has an
> ASF account) and the email address for public users, I want to keep the two
> trees apart.
>
>
> > Only if you insist on listing out the tree by hand you want to split it
> > up. The usual way is doing a search on the tree or a subtree using the
> > objectClass as a filter.
> >
>
>  We will most likely use exactly the same OC for both committers and
> non-committers so we can still search quite easily.
>
>  However we have recently been discussing the use of seperate LDAP servers
> for public services.  This is to try and :
>
>  * Mitigate DOS risks, as public services such as bugzilla create accounts
> automatically.  Doing so is quite 'expensive'.  Moving that load to the
> non-committers LDAP server helps lessen the risk that ASF folks can't work.
>
>  * We can use referrals between the two servers.  As required.
>
>  * We can use a completey different namespace for internal vs public
> services.
>
>
>
>  Cheers,
>  Tony
>
>
>  --
>
>
>  -----------------------------------------
>  Tony Stevenson
>  tony@pc-tony.com  //  pctony@apache.org
>  http://www.pc-tony.com/
>
>  1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66
>  -----------------------------------------
>

Mime
View raw message