www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@apache.org>
Subject Re: LDAP : first step
Date Sun, 21 Dec 2008 23:52:39 GMT
Tony Stevenson wrote:
> Emmanuel Lécharny wrote:
>> Upayavira wrote:
>>> On Sun, 2008-12-21 at 23:50 +0100, Emmanuel Lécharny wrote:
>>>> Tony Stevenson wrote:
>>>>> Tony Stevenson wrote:
>>>>>>         I will arrange for one Solaris zone, so that we can 
>>>>>> deploy one test environment. There is a currently one such zone,

>>>>>> but I would rather start with a clean slate as this still has 
>>>>>> scatterings of OpenLDAP amongst other things.
>>>>> Ok, we now have two test zones.  These are to test EU <--> US 
>>>>> multi master services.  Clearly we only need to begin with one.
>>>>> Emmanuel, do you have your suggested OC, and tree design?  I want 
>>>>> to get these into SVN before dishing out access to these Solaris 
>>>>> zones, and installing anything.
>>>> I'm currently processing the committers, mixing the iclas.txt file 
>>>> with the /etc/passwd, in order to have a complete entry for each of 
>>>> us. It takes time, because there are more entries into passwd than 
>>>> we have committers (some committers have been obvioulsy removed 
>>>> from the iclas.txt file, or some users have been granted access 
>>>> without being present in iclas.txt).
>>>> The tree I suggest, from now on, will be something like 
>>>> cn=<committer>,ou=people,dc=apache,dc=org
>>>> I will be done in around one hour with the big LDIF file.
>>> I understand that we're going to be starting with committers only,
>>> however, I'd like to understand how this structure will work for
>>> non-committers, and how it will work when non-committers become
>>> committers.
>>> How do you see that working?
>> IMO, there should be a flag in the entry set to TRUE when the person 
>> get karma. This is somehow exposed in the proposed OC I posted 2 
>> weeks ago.
>> So you cna mix committers and non-committers in the same branch, 
>> getti,ng all committers will just be a matter of using a filter like 
>> (asf-committer=TRUE).
> I don't like the idea of this.  The idea that a non committer can 
> create an account through bugzilla with a "cn=foobar" and therefore 
> allowing them to squat on any given free namespace, doesn't sit well 
> with me.
I see your point. And we'd better put every non-committers created on 
another LDAP server too, in order to avoid DOS (creating an entry on 
LDAP is _costly_, I can imagine some robots creating thousands of 
entries in confluence for many reasons...)
> I ideally want to use a different subtree to keep them distinctly 
> apart, and using a different OC, perhaps.  As I think we need to use 
> the email address they provide as the DN for their object.  Not just 
> any old name.
Not a problem. We can then use mail=joe@the.plumber instead of 
cn=something as the RDN for those users...

cordialement, regards,
Emmanuel Lécharny

View raw message