www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: LDAP - Next Steps
Date Wed, 27 May 2009 19:46:17 GMT
On 27/05/2009, chris <chris@ia.gov> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>
>
> > In that case, can't the web application trigger the update of the auth file?
>
>
> That certainly would have been an easier way to have done it.  Right now I am watching
the source (ldap) using the
>  syncrep overlay to spot changes.  In the event that ldap group membership is changed
in some way other than via the web
>  application, the authz file will still be regenerated.  I think this is the best way
to do this, but I'm all ears if you
>  know a better way to handle it.

If you are still concerned about the overhead of ldap overlays, then
why not supplement the web-trigger with a cron job that runs a few
times a day?

I don't know how likely it is that ldap group changes will be made
other than by the web application, but it should be possible to set up
a script that can trigger the svn authz rebuild, and this can used by
humans or scripts.

>
>  >
>  > By the way, will the web app also trigger updates to POSIX groups?
>  > Or are these handled separately?
>  >
>  > I assume the web-app will ensure consistency within LDAP, e.g. all
>  > group members need to be in the LDAP equivalent of committers-?.
>
>
>
> My lack of current practices may bite me here.  Are you asking if the application will
check the Committers groups
>  before allowing a member to be added to any other group?

Yes, that is one of my questions.

>  If it's not this then here's my answer:
>
>  The ldap groups are the POSIX groups.  There will still be some POSIX groups that are
defined local to each system, but
>  it is my understanding that those will be a very small set that will be maintained manually.

There are quite a few POSIX groups currently, and these don't always
get updated when the SVN group is updated.

If an LDAP group has a corresponding POSIX group, perhaps the web-app
should trigger an e-mail (or JIRA issue) when a change is made to it.

>  The current group file as
>  you know it will be (mostly) living in ldap after SVN has been assimilated.  (Worth
mention -- Committers-[a-z] will
>  become one large Committers group within ldap.)
>
>  At least that's what I think the plan is Sebb. :)  Paul or Tony please correct me if
I have gotten lost along the way.
>
>
>  crr/arreyder.
>  -----BEGIN PGP SIGNATURE-----
>  Version: GnuPG v2.0.10 (GNU/Linux)
>  Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>
> iEYEARECAAYFAkodkYsACgkQPmaZdRmQd+aCGQCdGEzBrBU2AJTZireMeAqXWZwu
>  2Z8AnipTsDYkBpJJfc3bu2t8WVnRay5H
>  =wYDh
>  -----END PGP SIGNATURE-----
>

Mime
View raw message