www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Stevenson <t...@pc-tony.com>
Subject LDAP - Next Steps
Date Tue, 26 May 2009 15:29:00 GMT

Now that we can look to move LDAP on a little more, I have a question  
that I'd appreciate some feedback on.

As you know, at the moment the SVN Authz file is in Subversion, when  
we move groups into LDAP, this will no longer be the case.
The SVN authz file will be dynamically rebuilt after every change to a  
group (or the template that creates the Authz file).

To achieve this we have 2 options:

1)  Use OpenLDAP's  'accesslog overlay' to record all changes to the  
2)  Use a custom script that polls the groups and when it notices a  
change, it will force a rebuild.

Now each of these has it's ups and downs.  1 for example logs all  
changes, and could be used as an audit log, but it produces shit loads  
of output.  2 on the other hand means that the rebuild wont be  
triggered as quickly, and it will rely on upon building a reliable  
checkpoint from the previous poll to generate a diff, and ultimately a  
kick of the build of a new SVN Authz file.

Of course there is always a 3rd hidden option, and that is to do away  
with using the SVN Authz file completely, and use <location> stanza's  
in httpd, and use mod_authz_ldap to control access this way.  Based on  
some of my very simple testing, this option provides a slightly faster  
turn around in changes, but it would require someone with root  
privileges on eris/harmonia to be able to add new location tags, and  
add new groups to an existing one.

At the moment I think I am leaning to option 1, for the accesslog  
overlay.  But in my heart I would love us to use option 3, albeit this  
may mean a little more work for us.



Tony Stevenson

tony@pc-tony.com - pctony@apache.org
pctony@freenode.net - tony@caret.cam.ac.uk


1024D/51047D66 ECAF DC55 C608 5E82 0B5E
3359 C9C7 924E 5104 7D66

View raw message