zarb-ml/mageia-webteam/2011-January/000177.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [Mageia-webteam] [Mageia-sysadm] New test tree in ldap
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:mageia-webteam%40mageia.org?Subject=Re%3A%20%5BMageia-webteam%5D%20%5BMageia-sysadm%5D%20New%20test%20tree%20in%20ldap&In-Reply-To=%3C1295893524.31817.45.camel%40akroma.ephaone.org%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="000175.html">
   <LINK REL="Next"  HREF="000173.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[Mageia-webteam] [Mageia-sysadm] New test tree in ldap</H1>
    <B>Michael Scherer</B> 
    <A HREF="mailto:mageia-webteam%40mageia.org?Subject=Re%3A%20%5BMageia-webteam%5D%20%5BMageia-sysadm%5D%20New%20test%20tree%20in%20ldap&In-Reply-To=%3C1295893524.31817.45.camel%40akroma.ephaone.org%3E"
       TITLE="[Mageia-webteam] [Mageia-sysadm] New test tree in ldap">misc at zarb.org
       </A><BR>
    <I>Mon Jan 24 19:25:24 CET 2011</I>
    <P><UL>
        <LI>Previous message: <A HREF="000175.html">[Mageia-webteam] [Mageia-sysadm] New test tree in ldap
</A></li>
        <LI>Next message: <A HREF="000173.html">[Mageia-webteam] [Mageia-sysadm] New test tree in ldap
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#177">[ date ]</a>
              <a href="thread.html#177">[ thread ]</a>
              <a href="subject.html#177">[ subject ]</a>
              <a href="author.html#177">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>Le lundi 24 janvier 2011 &#224; 17:54 +0000, Kosmas Chatzimichalis a &#233;crit :
&gt;<i> &gt;
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; &gt; Would we need a different user name for the application, or we would have
</I>&gt;<i> &gt; a
</I>&gt;<i> &gt; &gt; group that exists there and has admin permissions in the app?
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; The login do not have write access to the ldap, it just here to connect
</I>&gt;<i> &gt; to ldap,do the login ( like misc ) to ldap login mapping ( like
</I>&gt;<i> &gt; uid=misc,ou=People,dc=mageia,dc=org ), and then test if the password is
</I>&gt;<i> &gt; correct by binding to ldap using ldap login and the password.
</I>&gt;<i> &gt;
</I>&gt;<i> &gt; Now, if you need to store something to ldap, we can arrange something,
</I>&gt;<i> &gt; but that would requires to change ACLs ( and I think that it is better
</I>&gt;<i> &gt; to not use ldap to store this, for various reason like &quot;ldap is more
</I>&gt;<i> &gt; complex to manage than sql&quot; )
</I>&gt;<i>
</I>&gt;<i> I was thinking along the lines, about permissions of who can edit/create
</I>&gt;<i> entries in the maintainers db?
</I>&gt;<i> So, if a user (maintainer with admin permissions?) has the necessary entry
</I>&gt;<i> in the ldap, then they should be able to change things in the maintainers
</I>&gt;<i> db.
</I>
I think that simply checking if someone is in some ldap group would be
sufficient. ( and more in conformance with the way the rest of
infrastructure is managed ). I would even add for more than 1 group so
we can have sysadmin and another group of packagers, if delegation is
needed.

There is various way to handle this, and I think you should ask to
packagers about what they would want, especially with regard to multiple
maintainers per packages ( not for now, of course as the goal was to
have something ready fast, but such improvements were quite asked
afaik ). Ie, who can accept another packagers or not ?

We do not have any upload restrictions yet, but I guess that sooner or
later, some parts will be restricted, and it would be better to have
them maintainers based rather than duplicating the username in the
buildsystem configuration.


&gt;<i> I don't think there will be a need to have write permissions to ldap, unless
</I>&gt;<i> we want to create maintainers in maint db app, and write that to the ldap.
</I>&gt;<i> I will send another email with a few questions about maint db later on.
</I>
Yup, the maintainer creation should be done on ldap first, as people
need a account to maintain anything.

&gt;<i> OK. That's great thanks Michael.
</I>&gt;<i> Again I was thinking about a maintainer, that I should be doing a lookup in
</I>&gt;<i> ldap, but I could be testing that with my account I suppose.
</I>
I am not sure that would work :/

The ldap is quite restricted to protect privacy of users, and only
service accounts should be able to get such informations. 

-- 
Michael Scherer

</PRE>

<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="000175.html">[Mageia-webteam] [Mageia-sysadm] New test tree in ldap
</A></li>
	<LI>Next message: <A HREF="000173.html">[Mageia-webteam] [Mageia-sysadm] New test tree in ldap
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#177">[ date ]</a>
              <a href="thread.html#177">[ thread ]</a>
              <a href="subject.html#177">[ subject ]</a>
              <a href="author.html#177">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-webteam">More information about the Mageia-webteam
mailing list</a><br>
</body></html>