www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tony Stevenson" <t...@pc-tony.com>
Subject Re: ASF LDAP Project - Update
Date Sat, 10 Jan 2009 16:59:23 GMT

Let me clarify/clear up several points that have been raised.

1)  We will not stop users from logging in using keys only.

2)  We don't prevent users from using passwords to login, but yes, we
strongly suggest that they do use keys. I don't see this changing anytime
soon either.

3)  We will not set LDAP up in such a way as to prevent root access to
*ANY* server in the event of LDAP failure (also try to remember that we
want to have a multi-master architecture to the LDAP platform, so unless
there is a consolidated LDAP failure, again remember they are in different
datacentres too, we should not have too much to cause us issue.)  We will
take adequate precautions to stop this from happening.

You can all stop worrying now.  :-)


On Sat, January 10, 2009 12:44 pm, Graham Leggett wrote:
> Santiago Gala wrote:
>> I have my login in people.apache.org without a password, using only ssh
>>  keys. There was a time when this was encouraged, and root would kill
>> the password access on demand. I would greatly prefer public keys to
>> password as much as I can, and I hope the LDAP change will not affect
>> my ability to not having a shell password, but only a
>> .ssh/authorized_keys
>> file.
> The LDAP support won't affect this directly.
> With LDAP support, the information that would otherwise appear in
> /etc/passwd now is stored in LDAP, and that isn't just your password,
> but your username, the gecos field, your uid and gid, etc.
> The tricky bit may be the bit that stops password logins being possible,
> because the simple way of doing it - removing the password - also removes
> your ability to use the password against other LDAP services, like svn.
> I would imagine there is a way to configure PAM to say "if user is
> member of group | not member of group | has this attribute | whatever don't
> permit a login with a password", but that will have to be experimented
> with.
> Regards,
> Graham
> --


Tony Stevenson
tony@pc-tony.com  //  pctony@apache.org

1024D/51047D66 ECAF DC55 C608 5E82 0B5E  3359 C9C7 924E 5104 7D66

View raw message