www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Henning Schmiedehausen <henn...@apache.org>
Subject Re: LDAP : first step
Date Mon, 22 Dec 2008 01:46:14 GMT
Tony Stevenson schrieb:
> Emmanuel L├ęcharny wrote:
>> Upayavira wrote:
>>> On Sun, 2008-12-21 at 23:50 +0100, Emmanuel L├ęcharny wrote:
>>>> Tony Stevenson wrote:
>>>>> Tony Stevenson wrote:
>>>>>>         I will arrange for one Solaris zone, so that we can deploy
>>>>>> one test environment. There is a currently one such zone, but I
>>>>>> would rather start with a clean slate as this still has
>>>>>> scatterings of OpenLDAP amongst other things.
>>>>> Ok, we now have two test zones.  These are to test EU <--> US multi
>>>>> master services.  Clearly we only need to begin with one.
>>>>> Emmanuel, do you have your suggested OC, and tree design?  I want
>>>>> to get these into SVN before dishing out access to these Solaris
>>>>> zones, and installing anything.
>>>> I'm currently processing the committers, mixing the iclas.txt file
>>>> with the /etc/passwd, in order to have a complete entry for each of
>>>> us. It takes time, because there are more entries into passwd than
>>>> we have committers (some committers have been obvioulsy removed from
>>>> the iclas.txt file, or some users have been granted access without
>>>> being present in iclas.txt).
>>>> The tree I suggest, from now on, will be something like
>>>> cn=<committer>,ou=people,dc=apache,dc=org
>>>> I will be done in around one hour with the big LDIF file.
>>> I understand that we're going to be starting with committers only,
>>> however, I'd like to understand how this structure will work for
>>> non-committers, and how it will work when non-committers become
>>> committers.
>>> How do you see that working?
>> IMO, there should be a flag in the entry set to TRUE when the person
>> get karma. This is somehow exposed in the proposed OC I posted 2 weeks
>> ago.
>> So you cna mix committers and non-committers in the same branch,
>> getti,ng all committers will just be a matter of using a filter like
>> (asf-committer=TRUE).
> I don't like the idea of this.  The idea that a non committer can create
> an account through bugzilla with a "cn=foobar" and therefore allowing
> them to squat on any given free namespace, doesn't sit well with me.
> I ideally want to use a different subtree to keep them distinctly apart,
> and using a different OC, perhaps.  As I think we need to use the email
> address they provide as the DN for their object.  Not just any old name.


If an account gets created in bugzilla, it is probably at

dn: cn=my-email@my-domain.com,ou=accounts,dc=apache,dc=org
objectClass: posixUser
objectClass: bugzillaUser
email: my-email@my-domain.com

How should that "squat" anything? Or did I get you wrong? You don't want
to split the user supplied information up in any way. Treat it as an
opaque identifier just as an email address.

ou=accounts, dc=apache, dc=org might contain hundreds of thousands of
objects with only a few being actual apache committers or members, but
that is exactly the thing that LDAP is good at. A member simply gets an
additional objectClass and you filter on this.

Only if you insist on listing out the tree by hand you want to split it
up. The usual way is doing a search on the tree or a subtree using the
objectClass as a filter.


View raw message