www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: Centralised authentication/authorisation
Date Mon, 15 Dec 2008 11:19:17 GMT
Emmanuel L├ęcharny wrote:

>> I volunteer to configure and set up https://www.apache.org, and 
>> volunteer to configure the single signon stuff present in httpd 
>> v2.3.0+, in readiness for being backed by an LDAP server.
> I'm in, too. I can try first to define a basic schema, and migrate our 
> current users into a LDAP server.

The only attributes I need at this point to make this happen are a 
userid (email address highly recommended), and password.

One thing we need to be careful of to keep our lives simple is to make 
sure our schema doesn't clash with any other schemas out there.

I have been using the 50ns-mail.ldif schema from Fedora Directory 
Server, most specifically the mail, mailAlternateAddress and 
mailForwardingAddress attributes.

Users that are "external" have their external email address (used as 
their login name) stored in the "mail" attribute.

Users that have hosted mail have a mailRecipient objectclass, and any 
mail aliases go into mailAlternateAddress. Users who want mail 
forwarding use mailForwardingAddress.

If we use an objectclass such as 50ns-mail.ldif, we leave the door open 
to have email backed by LDAP in a reasonably straightforward fashion.

If we start with just the following, we could build up from there:

objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: mailRecipient
objectClass: organizationalPerson

Next step after that, add some ASF attributes where relevant:

objectclass: asfPerson
objectclass: asfCommitter
objectclass: asfMember



View raw message