www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <pct...@apache.org>
Subject Re: Centralised authentication/authorisation
Date Mon, 15 Dec 2008 17:25:29 GMT


Graham Leggett wrote:
> Tony Stevenson wrote:
> 
>>> What is your definition of "core-services"?
>>
>> As stated a few times the basic we want to support, intially at least, 
>> are SVN and shell access to people.a.o
> 
> Fair enough.
> 
> Let me explain better where I am coming from. When you have an LDAP 
> server, you inherit a support burden, which is completely independent of 
> what you want to use the LDAP server for.
> 
> Key things are how the data ends up in the LDAP server in the first 
> place, how people are able to manage their passwords without the schlepp 
> of having to log into p.a.o and use a protocol they may or may not be 
> familiar with.

Exactly, at the moment users manage their shell passwords by logging in 
and using the timeless 'passwd' command.  :-)

As for SVN passwords AISTR there is a web interface they can use to 
reset this.

So with this in mind, we will likely support both methods by the time we 
are done. Though in what order/which guise is yet undecided.  A self 
managing system that allows users to reset their passwords is a nice 
idea, and if we can sort this, it may go some way to alleviating the 
pain nearer the times of en-masse logins (i.e. member votes)

> 
> I have spent a good 18 months solving this particular problem, with a 
> combination of additional features to httpd, and some small web based 
> apps that were designed for this purpose. What I am offering is that I 
> set up this up for you, and in the process potentially remove the 
> problems of password management and distribution, and other future 
> problems such as new user account creation.

Sorry Graham, set what up exactly?  mod_session and sso?
At the moment we are not looking to rollout support for SSO (and by SSO 
I mean the definition as it is in the "Scope & Goals" document in SVN. 
(SVN:Infra\trunk\projects\ldap-project)

> No, we don't have to set this up right now.
> 
> I am however throwing this suggestion into the ring now, so that people 
> are aware this work exists, and in an effort to ensure no wheels are 
> reinvented unnecessarily.

Cool. We can always come and re-visit this as and when 
time/desire/requirements allow us.

> 
>> Anything other than that will fall into a following phase of the 
>> deployment. I don't think we could sustain a big-bang cut over to LDAP 
>> for all public services from day 1.
> 
> Obviously, I was not proposing any kind of big bang cutover of anything. 
> Any cutover should happen in a leisurely controlled fashion, as people 
> are comfortable with doing so, and as confidence grows in the stability 
> of the service.

Cool.  :-)


Cheers,
Tony

-- 


-----------------------------------------
Tony Stevenson
tony@pc-tony.com  //  pctony@apache.org
http://www.pc-tony.com/

1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66
-----------------------------------------

Mime
View raw message