Mailing-List: contact infrastructure-dev-help@apache.org; run by ezmlm
Precedence: bulk
Reply-To: infrastructure-dev@apache.org
Received-SPF: pass (athena.apache.org: domain of minfrin@sharp.fm designates
 72.32.122.47 as permitted sender)
Message-ID: <49465C33.2030402@sharp.fm>
Date: Mon, 15 Dec 2008 15:31:31 +0200
From: Graham Leggett <minfrin@sharp.fm>
User-Agent: Thunderbird 2.0.0.18 (Macintosh/20081105)
MIME-Version: 1.0
To: infrastructure-dev@apache.org
Subject: Re: Centralised authentication/authorisation
References: <55ef8e0d508559e7567041e44f6c61d5.squirrel@mail.pc-tony.com>
 <492B57AB.3010003@apache.org> <4943F121.7090307@apache.org>
 <49463626.9010201@sharp.fm> <49463965.7000503@apache.org>
 <49464124.1000202@apache.org> <494646E4.3080403@sharp.fm>
 <49465359.8070205@apache.org>
In-Reply-To: <49465359.8070205@apache.org>
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
 micalg=sha1; boundary="------------ms010905070006010806040700"

--------------ms010905070006010806040700
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Tony Stevenson wrote:

> Cool, but we have not yet agreed upon what we are going to be working 
> towards.  That comes next :-)

I would argue that agreeing what we are working towards would come first :)

> Exactly, and even when it does (possibly) exist there is still no need 
> for authentication, AFAICS.

We use authnz across the ASF, from bugzilla, to jira, to various 
continuous integration servers. Facing a similar problem myself (many 
apps, in different architectures, all trying to maintain their own 
authnz databases, and with inconsistent support for LDAP), it prompted 
me to introduce mod_session and mod_auth_form to httpd, and have httpd 
worry about authnz, and have the underlying apps take for granted that 
authnz has already happened.

While I could wave my hands in the air and try to explain it, it is far 
easier for me to just deploy a test version of it to show people. 
Consider it as the very first user of the LDAP service. :)

>> At this point we have the danger of just talking about it for ages and 
>> ages, and never getting anything done.
> 
> if we talk about it now, and then someone chimes up just after 
> deployment that they wanted it do x,y, and z, we can tell them that they 
> had their opportunity to take part on this ML.

One important thing: any LDAP infrastructure will be a living breathing 
thing. Requirements will change over time, and people will chime in with 
suggestions for how the LDAP database could be extended or improved.

No part of the design should be "closed" or "cast in stone", and at no 
point should anybody be told "you had your opportunity to take part but 
you didn't".

>> Let's start by getting a basic server running, and populate it with 
>> some basic information, not accessible to the public.
> 
> That won't happen until we all agree on all the fundamental basics 
> first.  There is absolutely no hurry to get this done.  I was pushing on 
> ahead with this, much like you seem to want too, but it wont help us. 
> Not in the long run.

People aren't willing to pipe up with objections until they have 
something concrete to object to.

 From what I can see, the basics are pretty covered:

- We need a server, and we have one in the form of ADS.

- We need a basic schema, and considering the desire is just authnz at 
this point, the schemas that already exist should do nicely.

Is there anything else we need to cover?

> I will be one of those admins. I'm not sure any requirement exists from 
> those of us that will administer this, to have it do anything other that 
>  access control.

Having spoken to a number of people in the long time during which the 
LDAP ball has been kicked around at the ASF, there is definitely a 
desire to store more than just access control in LDAP.

While I as you do see no need to do this now, we certainly do not want 
to close any doors or make it more difficult to do this in future.

Regards,
Graham
--

--------------ms010905070006010806040700
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJNTCC
AvUwggJeoAMCAQICEE48SDZRMuwR+sMj0uPO8bgwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MTAxNDEzNDk1N1oX
DTA5MTAxNDEzNDk1N1owXTEQMA4GA1UEBBMHTGVnZ2V0dDEPMA0GA1UEKhMGR3JhaGFtMRcw
FQYDVQQDEw5HcmFoYW0gTGVnZ2V0dDEfMB0GCSqGSIb3DQEJARYQbWluZnJpbkBzaGFycC5m
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHdkReI2hOK03fWwKA9UqHcjwRQ
/gdmAIB/96pznww4TROCiCG/ugLzo2/feBQSuY467jFMBNudlzY+65avbP9Utys/0pa9lcK7
7hjXKKhgqL/UBSmSLxHie8pCo+74tqoOBTEkKj/Dc37mugeA0tdG1tOGc3yg8JhxEITl/9Sr
Qm5NElCFs3dLksCh+3S0IFANct13lRr7aYezqlsVu7HiQkSc3uWDGtRAIWouimjvpfaPuBl/
hZCzQiWmHoW++C5kO5cxuO9UluW3oxk8+tJmsIA+6pJTfSHH5RbVrEXSlbkscSZ+/TYMw7rr
/Mo8iqTANqNpInUfVE5nMmdqN5ECAwEAAaMtMCswGwYDVR0RBBQwEoEQbWluZnJpbkBzaGFy
cC5mbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBADfOsPAXQyOnuF1AM2p/elY6
7QVH1C7xQZTQ809jKVM7/44FaS7u5t3RhH3HpVd/qO0xkYTw9NBbQMFn8XoK2RAHs+phssXh
Z9sKfDJYmQN8H2xglQG4oUcdypLiv4l/1FE7OCh8dqQ5aMFrbT+Qq9nr1WGxXCemp8+Y3wgI
GFBCMIIC9TCCAl6gAwIBAgIQTjxINlEy7BH6wyPS487xuDANBgkqhkiG9w0BAQUFADBiMQsw
CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG
A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDgxMDE0MTM0
OTU3WhcNMDkxMDE0MTM0OTU3WjBdMRAwDgYDVQQEEwdMZWdnZXR0MQ8wDQYDVQQqEwZHcmFo
YW0xFzAVBgNVBAMTDkdyYWhhbSBMZWdnZXR0MR8wHQYJKoZIhvcNAQkBFhBtaW5mcmluQHNo
YXJwLmZtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4d2RF4jaE4rTd9bAoD1S
odyPBFD+B2YAgH/3qnOfDDhNE4KIIb+6AvOjb994FBK5jjruMUwE252XNj7rlq9s/1S3Kz/S
lr2VwrvuGNcoqGCov9QFKZIvEeJ7ykKj7vi2qg4FMSQqP8Nzfua6B4DS10bW04ZzfKDwmHEQ
hOX/1KtCbk0SUIWzd0uSwKH7dLQgUA1y3XeVGvtph7OqWxW7seJCRJze5YMa1EAhai6KaO+l
9o+4GX+FkLNCJaYehb74LmQ7lzG471SW5bejGTz60mawgD7qklN9IcflFtWsRdKVuSxxJn79
NgzDuuv8yjyKpMA2o2kidR9UTmcyZ2o3kQIDAQABoy0wKzAbBgNVHREEFDASgRBtaW5mcmlu
QHNoYXJwLmZtMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAN86w8BdDI6e4XUAz
an96VjrtBUfULvFBlNDzT2MpUzv/jgVpLu7m3dGEfcelV3+o7TGRhPD00FtAwWfxegrZEAez
6mGyxeFn2wp8MliZA3wfbGCVAbihRx3KkuK/iX/UUTs4KHx2pDlowWttP5Cr2evVYbFcJ6an
z5jfCAgYUEIwggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJa
QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoT
EVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERp
dmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG
9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcN
MTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp
bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp
bmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f
6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/Ef
kTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7
AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRw
Oi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8E
BAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqG
SIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQc
UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bG
CE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDZDCCA2ACAQEwdjBiMQswCQYD
VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE
AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEE48SDZRMuwR+sMj0uPO
8bgwCQYFKw4DAhoFAKCCAcMwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMDgxMjE1MTMzMTMxWjAjBgkqhkiG9w0BCQQxFgQULZVXF8HGji9ImLJ+0+O8MH+H
tOIwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZI
hvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjEL
MAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAq
BgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBOPEg2UTLsEfrD
I9LjzvG4MIGHBgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRo
YXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBG
cmVlbWFpbCBJc3N1aW5nIENBAhBOPEg2UTLsEfrDI9LjzvG4MA0GCSqGSIb3DQEBAQUABIIB
ADFELIJWQ9ELL0cv4XglPGHPe4kgghQQ78UgJ8VLbcuRbxLpNTtCQzDHOpN5nZU0EoLL5Vru
ySpYi6CEe/nwwBzNYJK+buwyF8Hqvg+80c2Dmo3B0ota13+voQJ9RMG3KaAu5+okH+KNDaq1
23Y3ryjZchtJDHZi4ztfeC41o3mwzEgIPKWXfJ+hmzLya1NMDPwvj83VJycAWbQtNGWyzOJa
ouw+d6LosEBud1eKa1BgLvm7AJMSzSMtChFMemK87oeorIM6Ai/6h0Na2RL7cU+DXockFv6v
9L1K1AmdnQcBLYvuT2bVwW+UNd06fx6FKD7p9W7mtCVCbQtp33kBGAQAAAAAAAA=
--------------ms010905070006010806040700--