As preannounced at [1] the GNOME Infrastructure switched to a new
Account Management System which is reachable at https://account.gnome.org.
All the details will follow.
Introduction
--
It's been a while since someone actually touched the underlaying
authentication infrastructure that powers the GNOME machines. The very
first setup was originally configured by Jonathan Blandford (jrb) who
configured an OpenLDAP istance with several customized schemas.
(pServer fields in the old CVS days, pubAuthorizedKeys and GNOME
modules related fields in recent times)
While OpenLDAP-server was living on the GNOME machine called clipboard
(aka ldap.gnome.org) the clients were configured to synchronize users,
groups, passwords through the nslcd daemon. After several years Jeff
Schroeder joined the Sysadmin Team and during one cold evening (date
is Tue, February 1st 2011) spent some time configuring SSSD to replace
the nslcd daemon which was missing one of the most important SSSD
features: caching. What surely convinced Jeff to adopt SSSD (a very
new but promising sofware at that time as the first release happened
right before 2010's Christmas) and as the commit log also states (New
sssd module for ldap information caching) was SSSD's caching feature.
It was enough for a certain user to log in once and the
'/var/lib/sss/db' directory was populated with its login information
preventing the LDAP daemon in charge of picking up login details (from
the LDAP server) to query the LDAP server itself every single time a
request was made against it. This feature has definitely helped in
many occasions especially when the LDAP server was down for a
particular reason and sysadmins needed to access a specific machine or
service: without SSSD this wasn't ever going to work and sysadmins
were probably going to be locked out from the machines they were used
to manage. (except if you still had '/etc/passwd', '/etc/group' and
'/etc/shadow' entries as fallback)
Things were working just fine except for a few downsides that appeared
later on:
1. the web interface (view) on our LDAP user database was managed by
Mango, an outdated tool which many wanted to rewrite in Django
that slowly became a huge dinosaur nobody ever wanted to look into again
2. the Foundation membership information were managed through a MySQL
database, so two databases, two sets of users unrelated to each other
3. users were not able to modify their own account information on
their own but even a single e-mail change required them to mail
the GNOME Accounts Team which was then going to authenticate their request
and finally update the account.
Today's infrastructure changes are here to finally say the issues
outlined at (1, 2, 3) are now fixed.
What has changed?
--
The GNOME Infrastructure is now powered by Red Hat's FreeIPA which
bundles several FOSS softwares into one big bundle all surrounded by
an easy and intuitive web UI that will help users update their account
information on their own without the need of the Accounts Team or any
other administrative entity. Users will also find two custom fields on
their Overview page, these being Foundation Member since and Last
Renewed on date. As you may have understood already we finally
managed to migrate the Foundation membership database into LDAP itself
to store the information we want once and for all. As a side note it
might be possible that some users that were Foundation members in the
past won't find any detail stored on the Foundation fields outlined
above. That is actually expected as we were able to migrate all the
current and old Foundation members that had an LDAP account registered
at the time of the migration. If that's your case and you still would
like the information to be stored on the new setup please get in
contact with the Membership Committee at membership-committee AT
gnome DOT org stating so.
Where can I get my first login credentials?
--
Let's make a little distinction between users that previously had
access to Mango (usually maintainers) and users that didn't. If you
were used to access Mango before you should be able to login on the
new Account Management System by entering your GNOME username and the
password you were used to use for loggin in into Mango. (after loggin
in the very first time you will be prompted to update your password,
please choose a strong password as this account will be unique across
all the GNOME Infrastructure)
If you never had access to Mango, you lost your password or the first
time you read the word Mango on this post you thought why is he
talking about a fruit now? you should be able to reset it by using
the following command:
ssh -l yourgnomeuserid account.gnome.org
The command will start an SSH connection between you and
account.gnome.org, once authenticated (with the SSH key you previously
had registered on our Infrastructure) you will