www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <pct...@apache.org>
Subject Re: LDAP : first step
Date Mon, 22 Dec 2008 10:59:19 GMT

[SNIP...]
> 
> Huh?
> 
> If an account gets created in bugzilla, it is probably at
> 
> dn: cn=my-email@my-domain.com,ou=accounts,dc=apache,dc=org
> objectClass: posixUser
> objectClass: bugzillaUser
> email: my-email@my-domain.com
> 

That is about right, yes.

> How should that "squat" anything? Or did I get you wrong? You don't want
> to split the user supplied information up in any way. Treat it as an
> opaque identifier just as an email address.

The DN for committers will be their availid, not their email address. 
Like so:  cn=pctony,ou=people,dc=apache,dc=org

So we dont want any old user to come along and when they create an 
account, if the name is free, it allows them to squat, or rather reserve 
that name for themselves.  Using their email address as the DN not only 
prevents this, but means that all users will be required to provide an 
email address.

> 
> ou=accounts, dc=apache, dc=org might contain hundreds of thousands of
> objects with only a few being actual apache committers or members, but
> that is exactly the thing that LDAP is good at. A member simply gets an
> additional objectClass and you filter on this.
> 

No.  By the fact we will use availid for committers (or anyone who has 
an ASF account) and the email address for public users, I want to keep 
the two trees apart.

> Only if you insist on listing out the tree by hand you want to split it
> up. The usual way is doing a search on the tree or a subtree using the
> objectClass as a filter.

We will most likely use exactly the same OC for both committers and 
non-committers so we can still search quite easily.

However we have recently been discussing the use of seperate LDAP 
servers for public services.  This is to try and :

* Mitigate DOS risks, as public services such as bugzilla create 
accounts automatically.  Doing so is quite 'expensive'.  Moving that 
load to the non-committers LDAP server helps lessen the risk that ASF 
folks can't work.

* We can use referrals between the two servers.  As required.

* We can use a completey different namespace for internal vs public 
services.


Cheers,
Tony


-- 


-----------------------------------------
Tony Stevenson
tony@pc-tony.com  //  pctony@apache.org
http://www.pc-tony.com/

1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66
-----------------------------------------

Mime
View raw message