| 1 |
On Thu, Jun 10, 2010 at 10:43 PM, Theo Chatzimichos |
| 2 |
<tampakrap@g.o> wrote: |
| 3 |
> On Friday 11 June 2010 06:27:26 Robin H. Johnson wrote: |
| 4 |
>> Related to integration of that, I would like opinions on moving some |
| 5 |
>> data from developer home directories into LDAP. I already placed the SPF |
| 6 |
>> data straight into LDAP, since I needed to be able to reach it from |
| 7 |
>> another machine anyway. |
| 8 |
>> |
| 9 |
> |
| 10 |
> +1, I strongly believe that LDAP is the answer |
| 11 |
> |
| 12 |
>> |
| 13 |
>> Cons: |
| 14 |
>> - complaints that LDAP is too hard to use. |
| 15 |
> |
| 16 |
> I don't agree with that, but just out of curiosity, is it possible to use a |
| 17 |
> web interface? phpldapadmin or something |
| 18 |
|
| 19 |
The problem with phpldapadmin is that it potentially opens up LDAP to |
| 20 |
the world. Right now you can only talk to ldap.gentoo.org from other |
| 21 |
gentoo machines due to what I believe are IPtables rules. Users use |
| 22 |
ssh keys to gain access to IPs in the trusted whitelist (eg |
| 23 |
dev.gentoo.org.) phpldapadmin means anyone on the internet can access |
| 24 |
our LDAP infrastructure if they find a vuln in it or steal a |
| 25 |
developers password and I assert that it is less likely for an ssh key |
| 26 |
to be stolen than a password (this does raise one point however. We |
| 27 |
don't enforce ssh key rotation; it might be nice to require devs to |
| 28 |
change keys every so often (annually?) |
| 29 |
|
| 30 |
Key rotation aside I think using using LDAP has two current problems. |
| 31 |
|
| 32 |
perl_ldap is feature-ful but hard to use. The bind options are |
| 33 |
confusing (user / recruiters / infra) do I bind as myself? As anon? |
| 34 |
Do I specify -b user or |
| 35 |
-b antarus? Mutli-valued attributes are confusing for users. |
| 36 |
|
| 37 |
No one remembers their ldap password (they save it in their email |
| 38 |
client if they use mail and never use it to login) so no one updates |
| 39 |
their ldap data. I'm not sure of a good solution to this myself. I |
| 40 |
know I never update my crap because I trouble remembering my password |
| 41 |
and don't want to bother robin with resetting it whenever I need to |
| 42 |
change something. It could be that by sourcing more data from LDAP we |
| 43 |
'fix' this problem. |
| 44 |
|
| 45 |
-A |
| 46 |
|
| 47 |
> |
| 48 |
>> Bonus plans: |
| 49 |
>> - Maybe move mail aliases to LDAP? We'd lose comments :-(. |
| 50 |
|
| 51 |
Not if you added a comments field ;) |
| 52 |
|
| 53 |
> |
| 54 |
> +1 on that too |
| 55 |
> |
| 56 |
> -- |
| 57 |
> Theo Chatzimichos (tampakrap) |
| 58 |
> Gentoo KDE, Qt, SGML, Overlays, Planet Teams |
| 59 |
> blog.tampakrap.gr |
| 60 |
> |
Archives