www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Re: LDAP : first step
Date Mon, 22 Dec 2008 21:24:21 GMT
Tony Stevenson wrote:

> I don't like the idea of this.  The idea that a non committer can create 
> an account through bugzilla with a "cn=foobar" and therefore allowing 
> them to squat on any given free namespace, doesn't sit well with me.

Definitely, but the problem has a trivial solution.

Use the user's email address as their RDN, and this problem disappears.

When the user becomes a committer, at that point they get to choose a 
username (attribute: uid) to be used for their unix login and svn 
commits, but not before.

Squatting on a name becomes impossible.

> I ideally want to use a different subtree to keep them distinctly apart, 
> and using a different OC, perhaps.  As I think we need to use the email 
> address they provide as the DN for their object.  Not just any old name.

You're setting yourself up for a world of pain if you do this.

Don't change the user's DN over time.

If you change the user's DN, you will be forced to update everything 
that refers to that DN, both inside the LDAP server, and in external 
databases (bugzilla, etc) that might save the DN of the user for it's 
own purpose.

Regards,
Graham
--

Mime
View raw message