1 |
On Thu, Jun 10, 2010 at 10:43 PM, Theo Chatzimichos |
2 |
<tampakrap@g.o> wrote: |
3 |
> On Friday 11 June 2010 06:27:26 Robin H. Johnson wrote: |
4 |
>> Related to integration of that, I would like opinions on moving some |
5 |
>> data from developer home directories into LDAP. I already placed the SPF |
6 |
>> data straight into LDAP, since I needed to be able to reach it from |
7 |
>> another machine anyway. |
8 |
>> |
9 |
> |
10 |
> +1, I strongly believe that LDAP is the answer |
11 |
> |
12 |
>> |
13 |
>> Cons: |
14 |
>> - complaints that LDAP is too hard to use. |
15 |
> |
16 |
> I don't agree with that, but just out of curiosity, is it possible to use a |
17 |
> web interface? phpldapadmin or something |
18 |
|
19 |
The problem with phpldapadmin is that it potentially opens up LDAP to |
20 |
the world. Right now you can only talk to ldap.gentoo.org from other |
21 |
gentoo machines due to what I believe are IPtables rules. Users use |
22 |
ssh keys to gain access to IPs in the trusted whitelist (eg |
23 |
dev.gentoo.org.) phpldapadmin means anyone on the internet can access |
24 |
our LDAP infrastructure if they find a vuln in it or steal a |
25 |
developers password and I assert that it is less likely for an ssh key |
26 |
to be stolen than a password (this does raise one point however. We |
27 |
don't enforce ssh key rotation; it might be nice to require devs to |
28 |
change keys every so often (annually?) |
29 |
|
30 |
Key rotation aside I think using using LDAP has two current problems. |
31 |
|
32 |
perl_ldap is feature-ful but hard to use. The bind options are |
33 |
confusing (user / recruiters / infra) do I bind as myself? As anon? |
34 |
Do I specify -b user or |
35 |
-b antarus? Mutli-valued attributes are confusing for users. |
36 |
|
37 |
No one remembers their ldap password (they save it in their email |
38 |
client if they use mail and never use it to login) so no one updates |
39 |
their ldap data. I'm not sure of a good solution to this myself. I |
40 |
know I never update my crap because I trouble remembering my password |
41 |
and don't want to bother robin with resetting it whenever I need to |
42 |
change something. It could be that by sourcing more data from LDAP we |
43 |
'fix' this problem. |
44 |
|
45 |
-A |
46 |
|
47 |
> |
48 |
>> Bonus plans: |
49 |
>> - Maybe move mail aliases to LDAP? We'd lose comments :-(. |
50 |
|
51 |
Not if you added a comments field ;) |
52 |
|
53 |
> |
54 |
> +1 on that too |
55 |
> |
56 |
> -- |
57 |
> Theo Chatzimichos (tampakrap) |
58 |
> Gentoo KDE, Qt, SGML, Overlays, Planet Teams |
59 |
> blog.tampakrap.gr |
60 |
> |