www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <pct...@apache.org>
Subject Re: LDAP : first step
Date Mon, 22 Dec 2008 00:00:16 GMT

Emmanuel Lécharny wrote:
> Tony Stevenson wrote:
>> Emmanuel Lécharny wrote:
>>> Upayavira wrote:
>>>> On Sun, 2008-12-21 at 23:50 +0100, Emmanuel Lécharny wrote:
>>>>> Tony Stevenson wrote:
>>>>>> Tony Stevenson wrote:
>>>>>>>         I will arrange for one Solaris zone, so that we can 
>>>>>>> deploy one test environment. There is a currently one such zone,

>>>>>>> but I would rather start with a clean slate as this still has

>>>>>>> scatterings of OpenLDAP amongst other things.
>>>>>> Ok, we now have two test zones.  These are to test EU <-->
>>>>>> multi master services.  Clearly we only need to begin with one.
>>>>>> Emmanuel, do you have your suggested OC, and tree design?  I want

>>>>>> to get these into SVN before dishing out access to these Solaris

>>>>>> zones, and installing anything.
>>>>> I'm currently processing the committers, mixing the iclas.txt file 
>>>>> with the /etc/passwd, in order to have a complete entry for each of 
>>>>> us. It takes time, because there are more entries into passwd than 
>>>>> we have committers (some committers have been obvioulsy removed 
>>>>> from the iclas.txt file, or some users have been granted access 
>>>>> without being present in iclas.txt).
>>>>> The tree I suggest, from now on, will be something like 
>>>>> cn=<committer>,ou=people,dc=apache,dc=org
>>>>> I will be done in around one hour with the big LDIF file.
>>>> I understand that we're going to be starting with committers only,
>>>> however, I'd like to understand how this structure will work for
>>>> non-committers, and how it will work when non-committers become
>>>> committers.
>>>> How do you see that working?
>>> IMO, there should be a flag in the entry set to TRUE when the person 
>>> get karma. This is somehow exposed in the proposed OC I posted 2 
>>> weeks ago.
>>> So you cna mix committers and non-committers in the same branch, 
>>> getti,ng all committers will just be a matter of using a filter like 
>>> (asf-committer=TRUE).
>> I don't like the idea of this.  The idea that a non committer can 
>> create an account through bugzilla with a "cn=foobar" and therefore 
>> allowing them to squat on any given free namespace, doesn't sit well 
>> with me.
> I see your point. And we'd better put every non-committers created on 
> another LDAP server too, in order to avoid DOS (creating an entry on 
> LDAP is _costly_, I can imagine some robots creating thousands of 
> entries in confluence for many reasons...)

This was actually a point raised on IRC earlier this week.  One LDAP 
server for "internal" services.  Another for public accounts on services 
such as moinmoin, conflucence, bugzilla.

Could we potentially get the internal services LDAP server to sync one 
way with a public services LDAP instance, and merge with the public 
services instance?  So that committers can login using their availid, 
etc.  Without the need to configure 2 LDAP servers.

>> I ideally want to use a different subtree to keep them distinctly 
>> apart, and using a different OC, perhaps.  As I think we need to use 
>> the email address they provide as the DN for their object.  Not just 
>> any old name.
> Not a problem. We can then use mail=joe@the.plumber instead of 
> cn=something as the RDN for those users...

Exactly. If we can keep all of these in one OC, then we have the option, 
to potentially just 'move' their account if they become committers later on.



Tony Stevenson
tony@pc-tony.com  //  pctony@apache.org

1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66

View raw message