On Thu, Jun 10, 2010 at 10:43 PM, Theo Chatzimichos <tampak...@gentoo.org> wrote: > On Friday 11 June 2010 06:27:26 Robin H. Johnson wrote: >> Related to integration of that, I would like opinions on moving some >> data from developer home directories into LDAP. I already placed the SPF >> data straight into LDAP, since I needed to be able to reach it from >> another machine anyway. >> > > +1, I strongly believe that LDAP is the answer > >> >> Cons: >> - complaints that LDAP is too hard to use. > > I don't agree with that, but just out of curiosity, is it possible to use a > web interface? phpldapadmin or something
The problem with phpldapadmin is that it potentially opens up LDAP to the world. Right now you can only talk to ldap.gentoo.org from other gentoo machines due to what I believe are IPtables rules. Users use ssh keys to gain access to IPs in the trusted whitelist (eg dev.gentoo.org.) phpldapadmin means anyone on the internet can access our LDAP infrastructure if they find a vuln in it or steal a developers password and I assert that it is less likely for an ssh key to be stolen than a password (this does raise one point however. We don't enforce ssh key rotation; it might be nice to require devs to change keys every so often (annually?) Key rotation aside I think using using LDAP has two current problems. perl_ldap is feature-ful but hard to use. The bind options are confusing (user / recruiters / infra) do I bind as myself? As anon? Do I specify -b user or -b antarus? Mutli-valued attributes are confusing for users. No one remembers their ldap password (they save it in their email client if they use mail and never use it to login) so no one updates their ldap data. I'm not sure of a good solution to this myself. I know I never update my crap because I trouble remembering my password and don't want to bother robin with resetting it whenever I need to change something. It could be that by sourcing more data from LDAP we 'fix' this problem. -A > >> Bonus plans: >> - Maybe move mail aliases to LDAP? We'd lose comments :-(. Not if you added a comments field ;) > > +1 on that too > > -- > Theo Chatzimichos (tampakrap) > Gentoo KDE, Qt, SGML, Overlays, Planet Teams > blog.tampakrap.gr >
