[Mageia-webteam] [Mageia-sysadm] New test tree in ldap

Michael Scherer misc at zarb.org
Mon Jan 24 19:25:24 CET 2011


Le lundi 24 janvier 2011 à 17:54 +0000, Kosmas Chatzimichalis a écrit :
> >
> >
> > > Would we need a different user name for the application, or we would have
> > a
> > > group that exists there and has admin permissions in the app?
> >
> > The login do not have write access to the ldap, it just here to connect
> > to ldap,do the login ( like misc ) to ldap login mapping ( like
> > uid=misc,ou=People,dc=mageia,dc=org ), and then test if the password is
> > correct by binding to ldap using ldap login and the password.
> >
> > Now, if you need to store something to ldap, we can arrange something,
> > but that would requires to change ACLs ( and I think that it is better
> > to not use ldap to store this, for various reason like "ldap is more
> > complex to manage than sql" )
>
> I was thinking along the lines, about permissions of who can edit/create
> entries in the maintainers db?
> So, if a user (maintainer with admin permissions?) has the necessary entry
> in the ldap, then they should be able to change things in the maintainers
> db.

I think that simply checking if someone is in some ldap group would be
sufficient. ( and more in conformance with the way the rest of
infrastructure is managed ). I would even add for more than 1 group so
we can have sysadmin and another group of packagers, if delegation is
needed.

There is various way to handle this, and I think you should ask to
packagers about what they would want, especially with regard to multiple
maintainers per packages ( not for now, of course as the goal was to
have something ready fast, but such improvements were quite asked
afaik ). Ie, who can accept another packagers or not ?

We do not have any upload restrictions yet, but I guess that sooner or
later, some parts will be restricted, and it would be better to have
them maintainers based rather than duplicating the username in the
buildsystem configuration.


> I don't think there will be a need to have write permissions to ldap, unless
> we want to create maintainers in maint db app, and write that to the ldap.
> I will send another email with a few questions about maint db later on.

Yup, the maintainer creation should be done on ldap first, as people
need a account to maintain anything.

> OK. That's great thanks Michael.
> Again I was thinking about a maintainer, that I should be doing a lookup in
> ldap, but I could be testing that with my account I suppose.

I am not sure that would work :/

The ldap is quite restricted to protect privacy of users, and only
service accounts should be able to get such informations. 

-- 
Michael Scherer



More information about the Mageia-webteam mailing list