www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <pct...@apache.org>
Subject Re: LDAP : first step
Date Sun, 21 Dec 2008 23:32:44 GMT

Emmanuel L├ęcharny wrote:
> Upayavira wrote:
>> On Sun, 2008-12-21 at 23:50 +0100, Emmanuel L├ęcharny wrote:
>>> Tony Stevenson wrote:
>>>> Tony Stevenson wrote:
>>>>>         I will arrange for one Solaris zone, so that we can deploy 
>>>>> one test environment. There is a currently one such zone, but I 
>>>>> would rather start with a clean slate as this still has scatterings 
>>>>> of OpenLDAP amongst other things.
>>>> Ok, we now have two test zones.  These are to test EU <--> US multi

>>>> master services.  Clearly we only need to begin with one.
>>>> Emmanuel, do you have your suggested OC, and tree design?  I want to 
>>>> get these into SVN before dishing out access to these Solaris zones, 
>>>> and installing anything.
>>> I'm currently processing the committers, mixing the iclas.txt file 
>>> with the /etc/passwd, in order to have a complete entry for each of 
>>> us. It takes time, because there are more entries into passwd than we 
>>> have committers (some committers have been obvioulsy removed from the 
>>> iclas.txt file, or some users have been granted access without being 
>>> present in iclas.txt).
>>> The tree I suggest, from now on, will be something like 
>>> cn=<committer>,ou=people,dc=apache,dc=org
>>> I will be done in around one hour with the big LDIF file.
>> I understand that we're going to be starting with committers only,
>> however, I'd like to understand how this structure will work for
>> non-committers, and how it will work when non-committers become
>> committers.
>> How do you see that working?
> IMO, there should be a flag in the entry set to TRUE when the person get 
> karma. This is somehow exposed in the proposed OC I posted 2 weeks ago.
> So you cna mix committers and non-committers in the same branch, 
> getti,ng all committers will just be a matter of using a filter like 
> (asf-committer=TRUE).

I don't like the idea of this.  The idea that a non committer can create 
an account through bugzilla with a "cn=foobar" and therefore allowing 
them to squat on any given free namespace, doesn't sit well with me.

I ideally want to use a different subtree to keep them distinctly apart, 
and using a different OC, perhaps.  As I think we need to use the email 
address they provide as the DN for their object.  Not just any old name.



Tony Stevenson
tony@pc-tony.com  //  pctony@apache.org

1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66

View raw message