From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OMxws-0001fD-Lb for garchives@archives.gentoo.org; Fri, 11 Jun 2010 06:42:38 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6A848E0AB9; Fri, 11 Jun 2010 06:42:34 +0000 (UTC) Received: from mail-px0-f181.google.com (mail-px0-f181.google.com [209.85.212.181]) by pigeon.gentoo.org (Postfix) with ESMTP id D778DE09FD for ; Fri, 11 Jun 2010 06:42:11 +0000 (UTC) Received: by pxi11 with SMTP id 11so181418pxi.40 for ; Thu, 10 Jun 2010 23:42:11 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.142.202.17 with SMTP id z17mr961881wff.140.1276238531094; Thu, 10 Jun 2010 23:42:11 -0700 (PDT) Sender: antarus@scriptkitty.com Received: by 10.142.200.1 with HTTP; Thu, 10 Jun 2010 23:42:10 -0700 (PDT) In-Reply-To: <201006110843.25420.tampakrap@gentoo.org> References: <20100611032726.GA13860@orbis-terrarum.net> <201006110843.25420.tampakrap@gentoo.org> Date: Thu, 10 Jun 2010 23:42:10 -0700 X-Google-Sender-Auth: pCR7GpFoAUhE9HkzUz_8lEsN6W4 Message-ID: Subject: Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name] From: Alec Warner To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 X-Archives-Salt: 213beb46-bfa3-4d96-9a03-95ff382c24e3 X-Archives-Hash: b11aaca442af82c78192e3abbf474b5e On Thu, Jun 10, 2010 at 10:43 PM, Theo Chatzimichos wrote: > On Friday 11 June 2010 06:27:26 Robin H. Johnson wrote: >> Related to integration of that, I would like opinions on moving some >> data from developer home directories into LDAP. I already placed the SPF >> data straight into LDAP, since I needed to be able to reach it from >> another machine anyway. >> > > +1, I strongly believe that LDAP is the answer > >> >> Cons: >> - complaints that LDAP is too hard to use. > > I don't agree with that, but just out of curiosity, is it possible to use a > web interface? phpldapadmin or something The problem with phpldapadmin is that it potentially opens up LDAP to the world. Right now you can only talk to ldap.gentoo.org from other gentoo machines due to what I believe are IPtables rules. Users use ssh keys to gain access to IPs in the trusted whitelist (eg dev.gentoo.org.) phpldapadmin means anyone on the internet can access our LDAP infrastructure if they find a vuln in it or steal a developers password and I assert that it is less likely for an ssh key to be stolen than a password (this does raise one point however. We don't enforce ssh key rotation; it might be nice to require devs to change keys every so often (annually?) Key rotation aside I think using using LDAP has two current problems. perl_ldap is feature-ful but hard to use. The bind options are confusing (user / recruiters / infra) do I bind as myself? As anon? Do I specify -b user or -b antarus? Mutli-valued attributes are confusing for users. No one remembers their ldap password (they save it in their email client if they use mail and never use it to login) so no one updates their ldap data. I'm not sure of a good solution to this myself. I know I never update my crap because I trouble remembering my password and don't want to bother robin with resetting it whenever I need to change something. It could be that by sourcing more data from LDAP we 'fix' this problem. -A > >> Bonus plans: >> - Maybe move mail aliases to LDAP? We'd lose comments :-(. Not if you added a comments field ;) > > +1 on that too > > -- > Theo Chatzimichos (tampakrap) > Gentoo KDE, Qt, SGML, Overlays, Planet Teams > blog.tampakrap.gr >