[gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

[gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 2272 bytes --]

On Thu, Jun 10, 2010 at 07:07:53PM +0200, Pacho Ramos wrote:
> Currently, we only need to set a proper message in ~/.away (as talked in
> http://www.gentoo.org/proj/en/devrel/roll-call/devaway.xml ) when
> becoming "devaway".
Related to integration of that, I would like opinions on moving some
data from developer home directories into LDAP. I already placed the SPF
data straight into LDAP, since I needed to be able to reach it from
another machine anyway.

All of them would be usable writable, and other access settings are
listed below:
- .away - world readable (gentooDevAway)
- .plan - world readable (gentooDevPlan)
- .asmtp - readable by mail system only. (gentooMailPasswd)
- .forward - readable by mail system only. (gentooMailForward or mailRoutingAddress)
- .permissive - readable by mail system only (gentooMailPermissive)

The following is the count of how many devs have files in their homedirs
matching "\.(FOO).*":
- .asmtp (44 dev)
- .away (71 devs)
- .forward (218 devs)
- .permissive (10 devs)
- .plan (1 dev)

The mail stuff is important to the mail development plans in
Infrastructure. Specifically we want to move inbound SMTP _off_
dev.gentoo.org, and have multiple machines around the globe to handle
the load.

Pros:
- we gain tracked history of what these values are.
- They can be directly accessed from all infrastructure machines.
- Faster propagation of changes to .away and mail settings.
- Ability to split woodpecker/dev.g.o up, and have an EU dev machine,
  and a US dev machine. (If mail isn't being forwarded outside of our
  systems, you would put in ${USERNAME}@eu.dev.gentoo.org.

Cons:
- developers get changes to LDAP wrong already.
	= I counter that they ALSO change the wrong filenames and wonder why
	  there is no effect. I counted a large number of '.permissave',
	  '.devaway' and '.asmtppasswd' files.
- complaints that LDAP is too hard to use.
- need to remember your LDAP password!
- increased dependence on LDAP...

Bonus plans:
- Maybe move mail aliases to LDAP? We'd lose comments :-(.

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Trustee & Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 330 bytes --]

Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

[Theo Chatzimichos]

[-- Attachment #1: Type: Text/Plain, Size: 742 bytes --]

On Friday 11 June 2010 06:27:26 Robin H. Johnson wrote:
> Related to integration of that, I would like opinions on moving some
> data from developer home directories into LDAP. I already placed the SPF
> data straight into LDAP, since I needed to be able to reach it from
> another machine anyway.
> 

+1, I strongly believe that LDAP is the answer

> 
> Cons:
> - complaints that LDAP is too hard to use.

I don't agree with that, but just out of curiosity, is it possible to use a 
web interface? phpldapadmin or something
 
> Bonus plans:
> - Maybe move mail aliases to LDAP? We'd lose comments :-(.

+1 on that too

-- 
Theo Chatzimichos (tampakrap)
Gentoo KDE, Qt, SGML, Overlays, Planet Teams
blog.tampakrap.gr

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

[Alec Warner]

On Thu, Jun 10, 2010 at 10:43 PM, Theo Chatzimichos
<tampakrap@gentoo.org> wrote:
> On Friday 11 June 2010 06:27:26 Robin H. Johnson wrote:
>> Related to integration of that, I would like opinions on moving some
>> data from developer home directories into LDAP. I already placed the SPF
>> data straight into LDAP, since I needed to be able to reach it from
>> another machine anyway.
>>
>
> +1, I strongly believe that LDAP is the answer
>
>>
>> Cons:
>> - complaints that LDAP is too hard to use.
>
> I don't agree with that, but just out of curiosity, is it possible to use a
> web interface? phpldapadmin or something

The problem with phpldapadmin is that it potentially opens up LDAP to
the world.  Right now you can only talk to ldap.gentoo.org from other
gentoo machines due to what I believe are IPtables rules.  Users use
ssh keys to gain access to IPs in the trusted whitelist (eg
dev.gentoo.org.)  phpldapadmin means anyone on the internet can access
our LDAP infrastructure if they find a vuln in it or steal a
developers password and I assert that it is less likely for an ssh key
to be stolen than a password (this does raise one point however.  We
don't enforce ssh key rotation; it might be nice to require devs to
change keys every so often (annually?)

Key rotation aside I think using using LDAP has two current problems.

perl_ldap is feature-ful but hard to use.  The bind options are
confusing (user / recruiters / infra) do I bind as myself?  As anon?
Do I specify -b user or
-b antarus?  Mutli-valued attributes are confusing for users.

No one remembers their ldap password (they save it in their email
client if they use mail and never use it to login) so no one updates
their ldap data.  I'm not sure of a good solution to this myself.  I
know I never update my crap because I trouble remembering my password
and don't want to bother robin with resetting it whenever I need to
change something.  It could be that by sourcing more data from LDAP we
'fix' this problem.

-A

>
>> Bonus plans:
>> - Maybe move mail aliases to LDAP? We'd lose comments :-(.

Not if you added a comments field ;)

>
> +1 on that too
>
> --
> Theo Chatzimichos (tampakrap)
> Gentoo KDE, Qt, SGML, Overlays, Planet Teams
> blog.tampakrap.gr
>

Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

[Peter Volkov]

В Чтв, 10/06/2010 в 23:42 -0700, Alec Warner пишет:
> > I don't agree with that, but just out of curiosity, is it possible to use a
> > web interface? phpldapadmin or something
> 
> The problem with phpldapadmin is that it potentially opens up LDAP to
> the world.

Require everybody to forward connection through ssh to get ldap web
interface? It's not hard to setup such tunnel manually or e.g. use
xinetd for automatic tunnel creation on request... Another option is to
use https with ssl client side certificates). I think it's not hard for
developers to generate certificates on dev.gentoo.org and import them
into browsers.

> >> Bonus plans:
> >> - Maybe move mail aliases to LDAP? We'd lose comments :-(.
> 
> Not if you added a comments field ;)

+1. Comments are useful (e.g. for non @gentoo.org mail addresses) and
btw, it's good idea if willikins will show them too.

-- 
Peter.

Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

[Maciej Mrozowski]

On Friday 11 of June 2010 09:24:45 Peter Volkov wrote:
> В Чтв, 10/06/2010 в 23:42 -0700, Alec Warner пишет:
> > > I don't agree with that, but just out of curiosity, is it possible to
> > > use a web interface? phpldapadmin or something
> > 
> > The problem with phpldapadmin is that it potentially opens up LDAP to
> > the world.
> 
> Require everybody to forward connection through ssh to get ldap web
> interface? It's not hard to setup such tunnel manually or e.g. use
> xinetd for automatic tunnel creation on request... Another option is to
> use https with ssl client side certificates). I think it's not hard for
> developers to generate certificates on dev.gentoo.org and import them
> into browsers.

I suppose simply making LDAP globally available (SSL only) is asking for 
trouble. In such case anyway one could choose his/her favourite LDAP client.

Anyway I think simple shell scripts for most common activities (devaway, 
change etc) would do.

I'm all for moving to LDAP every info that fits and it's possible. Maybe even 
things like Gentoo overlays access.

-- 
regards
MM

Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

[Peter Volkov]

В Птн, 11/06/2010 в 09:48 +0200, Maciej Mrozowski пишет:
> On Friday 11 of June 2010 09:24:45 Peter Volkov wrote:
> > В Чтв, 10/06/2010 в 23:42 -0700, Alec Warner пишет:
> > > > I don't agree with that, but just out of curiosity, is it possible to
> > > > use a web interface? phpldapadmin or something
> > > 
> > > The problem with phpldapadmin is that it potentially opens up LDAP to
> > > the world.
> > 
> > Require everybody to forward connection through ssh to get ldap web
> > interface? It's not hard to setup such tunnel manually or e.g. use
> > xinetd for automatic tunnel creation on request... Another option is to
> > use https with ssl client side certificates). I think it's not hard for
> > developers to generate certificates on dev.gentoo.org and import them
> > into browsers.
> 
> I suppose simply making LDAP globally available (SSL only) is asking for 
> trouble. In such case anyway one could choose his/her favourite LDAP client.

I'm talking about _web_ interface with required _ssl client
authentification_. I guess it is as secure as ssh.

-- 
Peter.

Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

[Theo Chatzimichos]

[-- Attachment #1: Type: Text/Plain, Size: 508 bytes --]

On Friday 11 June 2010 10:48:36 Maciej Mrozowski wrote:
> I'm all for moving to LDAP every info that fits and it's possible. Maybe
> even things like Gentoo overlays access.

That's not possible, as it is not an attribute that the developer himself 
should touch, but the overlays team only. Furthermore, access to overlays is 
granted to non-developers as well, so either way it isn't easier for us
-- 
Theo Chatzimichos (tampakrap)
Gentoo KDE, Qt, SGML, Overlays, Planet Teams
blog.tampakrap.gr

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

[Brian Harring]

[-- Attachment #1: Type: text/plain, Size: 736 bytes --]

On Thu, Jun 10, 2010 at 11:42:10PM -0700, Alec Warner wrote:
> perl_ldap is feature-ful but hard to use.  The bind options are
> confusing (user / recruiters / infra) do I bind as myself?  As anon?
> Do I specify -b user or
> -b antarus?  Mutli-valued attributes are confusing for users.

We should specifically have a tool for this instead of having people 
invoking perl_ldap- said tool also gives us easier validation and 
sanity checking.  I'd started one in '06 but had to retire it at 
the time due to ldaps not being supported by the python ldap bindings 
I was using- afaik that issue bindings wise is now long since gone.

Robin, any remenant of that survive?  Else a new one could be wrote I 
suppose.
~harring

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

[Theo Chatzimichos]

[-- Attachment #1: Type: Text/Plain, Size: 1061 bytes --]

On Saturday 12 June 2010 23:22:09 Brian Harring wrote:
> On Thu, Jun 10, 2010 at 11:42:10PM -0700, Alec Warner wrote:
> > perl_ldap is feature-ful but hard to use.  The bind options are
> > confusing (user / recruiters / infra) do I bind as myself?  As anon?
> > Do I specify -b user or
> > -b antarus?  Mutli-valued attributes are confusing for users.
> 
> We should specifically have a tool for this instead of having people
> invoking perl_ldap- said tool also gives us easier validation and
> sanity checking.  I'd started one in '06 but had to retire it at
> the time due to ldaps not being supported by the python ldap bindings
> I was using- afaik that issue bindings wise is now long since gone.
> 
> Robin, any remenant of that survive?  Else a new one could be wrote I
> suppose.
> ~harring

I wrote a django ldap frontend for my uni thesis, and the ldap library for 
python was working very well, so I would like to help on that.
-- 
Theo Chatzimichos (tampakrap)
Gentoo KDE, Qt, SGML, Overlays, Planet Teams
blog.tampakrap.gr

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

["Paweł Hajdan, Jr."]

[-- Attachment #1: Type: text/plain, Size: 1418 bytes --]

On 6/11/10 5:27 AM, Robin H. Johnson wrote:
> - Ability to split woodpecker/dev.g.o up, and have an EU dev machine,
>   and a US dev machine. (If mail isn't being forwarded outside of our
>   systems, you would put in ${USERNAME}@eu.dev.gentoo.org.

Sounds good to me. Looks like it would have lower latency. :)

> Cons:
> - developers get changes to LDAP wrong already.
> 	= I counter that they ALSO change the wrong filenames and wonder why
> 	  there is no effect. I counted a large number of '.permissave',
> 	  '.devaway' and '.asmtppasswd' files.

Maybe we should have an easy way to compare how the system sees it
versus how the user sees it? For example some command/script that would say:

.away file: missing
(... similar checks for other files/things omitted here ...)

And then a person who has created a .devaway file can notice the
discrepancy.

> - complaints that LDAP is too hard to use.

Maybe we need better scripts and better documentation? I think the main
problem might be that LDAP is too alien for many people.

My opinion: I have no problem using Gentoo LDAP, but would appreciate
some usability improvements. :)

> - need to remember your LDAP password!

D'oh, I guess it's always required, for example to update the
description displayed on the roll call. By the way, it looks like this
is the reason why the description is sometimes outdated.

Paweł


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

[Dirkjan Ochtman]

On Fri, Jun 11, 2010 at 08:58, "Paweł Hajdan, Jr."
<phajdan.jr@gentoo.org> wrote:
>> Cons:
>> - developers get changes to LDAP wrong already.
>>       = I counter that they ALSO change the wrong filenames and wonder why
>>         there is no effect. I counted a large number of '.permissave',
>>         '.devaway' and '.asmtppasswd' files.

Couldn't we just have a script that opens the devAway from my LDAP
entry in my EDITOR and writes it when I save & close?

Cheers,

Dirkjan

Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

[Petteri Räty]

On 11.6.2010 6.27, Robin H. Johnson wrote:
> On Thu, Jun 10, 2010 at 07:07:53PM +0200, Pacho Ramos wrote:
>> Currently, we only need to set a proper message in ~/.away (as talked in
>> http://www.gentoo.org/proj/en/devrel/roll-call/devaway.xml ) when
>> becoming "devaway".
> Related to integration of that, I would like opinions on moving some
> data from developer home directories into LDAP. I already placed the SPF
> data straight into LDAP, since I needed to be able to reach it from
> another machine anyway.
> 

This thread belongs to gentoo-project.

Regards,
Petteri

Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

[Thilo Bangert]

[-- Attachment #1: Type: Text/Plain, Size: 316 bytes --]

> This thread belongs to gentoo-project.

perhaps its time to reduce the number of mailinglists again. IMHO it 
doesnt hurt to have this thread on gentoo-dev and the volume of messages 
and their tone here has been sufficiently normal to again allow for more 
subjects.

just my 2 cents
kind regards
Thilo

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]

[Petteri Räty]

On 11.6.2010 12.32, Thilo Bangert wrote:
>> This thread belongs to gentoo-project.
> 
> perhaps its time to reduce the number of mailinglists again. IMHO it 
> doesnt hurt to have this thread on gentoo-dev and the volume of messages 
> and their tone here has been sufficiently normal to again allow for more 
> subjects.
> 
> just my 2 cents
> kind regards
> Thilo

Sure but doing that should be done by opening a new thread and gathering
opinions. Until then we should follow the agreed rules.

Regards,
Petteri