www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <pct...@apache.org>
Subject Re: Centralised authentication/authorisation
Date Mon, 15 Dec 2008 12:53:45 GMT


Graham Leggett wrote:
> Tony Stevenson wrote:
> 
>> Graham we have not yet agreed, i.e. have had written in stone, what we 
>> will and will not support. Plus I am not sure what https://www.a.o has 
>> to do with  LDAP.
> 
> It has to do with single signon, which is based on LDAP, and is one of 
> the most fundamental ways in which an LDAP server makes our lives easier.

Cool, but we have not yet agreed upon what we are going to be working 
towards.  That comes next :-)


> 
>>  AFAIK there is no authentication required when browsing that site.
> 
> The site doesn't yet exist (ie connection refused).  

Exactly, and even when it does (possibly) exist there is still no need 
for authentication, AFAICS.

> 
>> I think there is one other person who is willing to help us. I just 
>> want him to announce himself. Rather than being 'outed' by me.  :-)
>>
>> I think once we have 4 people, we can consider the next steps.
>>
>> * What we want to achieve from LDAP
>> * How we want to deploy it
>> * etc
> 
> At this point we have the danger of just talking about it for ages and 
> ages, and never getting anything done.

if we talk about it now, and then someone chimes up just after 
deployment that they wanted it do x,y, and z, we can tell them that they 
had their opportunity to take part on this ML.

> Let's start by getting a basic server running, and populate it with some 
> basic information, not accessible to the public.

That won't happen until we all agree on all the fundamental basics 
first.  There is absolutely no hurry to get this done.  I was pushing on 
ahead with this, much like you seem to want too, but it wont help us. 
Not in the long run.

> 
> It is far easier to show people what LDAP is, and what single singon is, 
>  rather than trying to explain it in a handwaving fashion.

We only have to prove it works to other folks in Infra, the rest of the 
community who will use it as a service probably dont care that we use 
LDAP or not.

These said folks in infra already know what LDAP is, how it works 
(fundamentally), and are aware of the bells and whistles it can come with.

> 
> I think we have established already what we want to achieve by using 
> LDAP: to make our lives easier.

Yes, maybe. But we will not get any traction until we have a solid base 
upon which we can build a working solution. For that we need to have

* A working group of folks to run with it
* Agreed on goals (see updated SVN docs)

> 
> Any LDAP infrastructure is going to change with time. We will find new 
> requirements, we will need to keep the admin people who have to care and 
> feed this thing happy, and people will keep asking "wouldn't it be cool 
> if...".
> 

I will be one of those admins. I'm not sure any requirement exists from 
those of us that will administer this, to have it do anything other that 
  access control.


Cheers,
Tony

-- 


-----------------------------------------
Tony Stevenson
tony@pc-tony.com  //  pctony@apache.org
http://www.pc-tony.com/

1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66
-----------------------------------------

Mime
View raw message