Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]
On Thu, Jun 10, 2010 at 11:42:10PM -0700, Alec Warner wrote: perl_ldap is feature-ful but hard to use. The bind options are confusing (user / recruiters / infra) do I bind as myself? As anon? Do I specify -b user or -b antarus? Mutli-valued attributes are confusing for users. We should specifically have a tool for this instead of having people invoking perl_ldap- said tool also gives us easier validation and sanity checking. I'd started one in '06 but had to retire it at the time due to ldaps not being supported by the python ldap bindings I was using- afaik that issue bindings wise is now long since gone. Robin, any remenant of that survive? Else a new one could be wrote I suppose. ~harring pgpwVx7IeQmgk.pgp Description: PGP signature
Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]
On Saturday 12 June 2010 23:22:09 Brian Harring wrote: On Thu, Jun 10, 2010 at 11:42:10PM -0700, Alec Warner wrote: perl_ldap is feature-ful but hard to use. The bind options are confusing (user / recruiters / infra) do I bind as myself? As anon? Do I specify -b user or -b antarus? Mutli-valued attributes are confusing for users. We should specifically have a tool for this instead of having people invoking perl_ldap- said tool also gives us easier validation and sanity checking. I'd started one in '06 but had to retire it at the time due to ldaps not being supported by the python ldap bindings I was using- afaik that issue bindings wise is now long since gone. Robin, any remenant of that survive? Else a new one could be wrote I suppose. ~harring I wrote a django ldap frontend for my uni thesis, and the ldap library for python was working very well, so I would like to help on that. -- Theo Chatzimichos (tampakrap) Gentoo KDE, Qt, SGML, Overlays, Planet Teams blog.tampakrap.gr signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]
On Thu, Jun 10, 2010 at 10:43 PM, Theo Chatzimichos tampak...@gentoo.org wrote: On Friday 11 June 2010 06:27:26 Robin H. Johnson wrote: Related to integration of that, I would like opinions on moving some data from developer home directories into LDAP. I already placed the SPF data straight into LDAP, since I needed to be able to reach it from another machine anyway. +1, I strongly believe that LDAP is the answer Cons: - complaints that LDAP is too hard to use. I don't agree with that, but just out of curiosity, is it possible to use a web interface? phpldapadmin or something The problem with phpldapadmin is that it potentially opens up LDAP to the world. Right now you can only talk to ldap.gentoo.org from other gentoo machines due to what I believe are IPtables rules. Users use ssh keys to gain access to IPs in the trusted whitelist (eg dev.gentoo.org.) phpldapadmin means anyone on the internet can access our LDAP infrastructure if they find a vuln in it or steal a developers password and I assert that it is less likely for an ssh key to be stolen than a password (this does raise one point however. We don't enforce ssh key rotation; it might be nice to require devs to change keys every so often (annually?) Key rotation aside I think using using LDAP has two current problems. perl_ldap is feature-ful but hard to use. The bind options are confusing (user / recruiters / infra) do I bind as myself? As anon? Do I specify -b user or -b antarus? Mutli-valued attributes are confusing for users. No one remembers their ldap password (they save it in their email client if they use mail and never use it to login) so no one updates their ldap data. I'm not sure of a good solution to this myself. I know I never update my crap because I trouble remembering my password and don't want to bother robin with resetting it whenever I need to change something. It could be that by sourcing more data from LDAP we 'fix' this problem. -A Bonus plans: - Maybe move mail aliases to LDAP? We'd lose comments :-(. Not if you added a comments field ;) +1 on that too -- Theo Chatzimichos (tampakrap) Gentoo KDE, Qt, SGML, Overlays, Planet Teams blog.tampakrap.gr
Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]
On 6/11/10 5:27 AM, Robin H. Johnson wrote:
- Ability to split woodpecker/dev.g.o up, and have an EU dev machine,
and a US dev machine. (If mail isn't being forwarded outside of our
systems, you would put in ${userna...@eu.dev.gentoo.org.
Sounds good to me. Looks like it would have lower latency. :)
Cons:
- developers get changes to LDAP wrong already.
= I counter that they ALSO change the wrong filenames and wonder why
there is no effect. I counted a large number of '.permissave',
'.devaway' and '.asmtppasswd' files.
Maybe we should have an easy way to compare how the system sees it
versus how the user sees it? For example some command/script that would say:
.away file: missing
(... similar checks for other files/things omitted here ...)
And then a person who has created a .devaway file can notice the
discrepancy.
- complaints that LDAP is too hard to use.
Maybe we need better scripts and better documentation? I think the main
problem might be that LDAP is too alien for many people.
My opinion: I have no problem using Gentoo LDAP, but would appreciate
some usability improvements. :)
- need to remember your LDAP password!
D'oh, I guess it's always required, for example to update the
description displayed on the roll call. By the way, it looks like this
is the reason why the description is sometimes outdated.
Paweł
signature.asc
Description: OpenPGP digital signature
Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]
On Fri, Jun 11, 2010 at 08:58, Paweł Hajdan, Jr. phajdan...@gentoo.org wrote: Cons: - developers get changes to LDAP wrong already. = I counter that they ALSO change the wrong filenames and wonder why there is no effect. I counted a large number of '.permissave', '.devaway' and '.asmtppasswd' files. Couldn't we just have a script that opens the devAway from my LDAP entry in my EDITOR and writes it when I save close? Cheers, Dirkjan
Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]
В Чтв, 10/06/2010 в 23:42 -0700, Alec Warner пишет: I don't agree with that, but just out of curiosity, is it possible to use a web interface? phpldapadmin or something The problem with phpldapadmin is that it potentially opens up LDAP to the world. Require everybody to forward connection through ssh to get ldap web interface? It's not hard to setup such tunnel manually or e.g. use xinetd for automatic tunnel creation on request... Another option is to use https with ssl client side certificates). I think it's not hard for developers to generate certificates on dev.gentoo.org and import them into browsers. Bonus plans: - Maybe move mail aliases to LDAP? We'd lose comments :-(. Not if you added a comments field ;) +1. Comments are useful (e.g. for non @gentoo.org mail addresses) and btw, it's good idea if willikins will show them too. -- Peter.
Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]
On Friday 11 of June 2010 09:24:45 Peter Volkov wrote: В Чтв, 10/06/2010 в 23:42 -0700, Alec Warner пишет: I don't agree with that, but just out of curiosity, is it possible to use a web interface? phpldapadmin or something The problem with phpldapadmin is that it potentially opens up LDAP to the world. Require everybody to forward connection through ssh to get ldap web interface? It's not hard to setup such tunnel manually or e.g. use xinetd for automatic tunnel creation on request... Another option is to use https with ssl client side certificates). I think it's not hard for developers to generate certificates on dev.gentoo.org and import them into browsers. I suppose simply making LDAP globally available (SSL only) is asking for trouble. In such case anyway one could choose his/her favourite LDAP client. Anyway I think simple shell scripts for most common activities (devaway, change etc) would do. I'm all for moving to LDAP every info that fits and it's possible. Maybe even things like Gentoo overlays access. -- regards MM
Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]
В Птн, 11/06/2010 в 09:48 +0200, Maciej Mrozowski пишет: On Friday 11 of June 2010 09:24:45 Peter Volkov wrote: В Чтв, 10/06/2010 в 23:42 -0700, Alec Warner пишет: I don't agree with that, but just out of curiosity, is it possible to use a web interface? phpldapadmin or something The problem with phpldapadmin is that it potentially opens up LDAP to the world. Require everybody to forward connection through ssh to get ldap web interface? It's not hard to setup such tunnel manually or e.g. use xinetd for automatic tunnel creation on request... Another option is to use https with ssl client side certificates). I think it's not hard for developers to generate certificates on dev.gentoo.org and import them into browsers. I suppose simply making LDAP globally available (SSL only) is asking for trouble. In such case anyway one could choose his/her favourite LDAP client. I'm talking about _web_ interface with required _ssl client authentification_. I guess it is as secure as ssh. -- Peter.
Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]
On 11.6.2010 6.27, Robin H. Johnson wrote: On Thu, Jun 10, 2010 at 07:07:53PM +0200, Pacho Ramos wrote: Currently, we only need to set a proper message in ~/.away (as talked in http://www.gentoo.org/proj/en/devrel/roll-call/devaway.xml ) when becoming devaway. Related to integration of that, I would like opinions on moving some data from developer home directories into LDAP. I already placed the SPF data straight into LDAP, since I needed to be able to reach it from another machine anyway. This thread belongs to gentoo-project. Regards, Petteri
Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]
This thread belongs to gentoo-project. perhaps its time to reduce the number of mailinglists again. IMHO it doesnt hurt to have this thread on gentoo-dev and the volume of messages and their tone here has been sufficiently normal to again allow for more subjects. just my 2 cents kind regards Thilo signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]
On Friday 11 June 2010 10:48:36 Maciej Mrozowski wrote: I'm all for moving to LDAP every info that fits and it's possible. Maybe even things like Gentoo overlays access. That's not possible, as it is not an attribute that the developer himself should touch, but the overlays team only. Furthermore, access to overlays is granted to non-developers as well, so either way it isn't easier for us -- Theo Chatzimichos (tampakrap) Gentoo KDE, Qt, SGML, Overlays, Planet Teams blog.tampakrap.gr signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]
On 11.6.2010 12.32, Thilo Bangert wrote: This thread belongs to gentoo-project. perhaps its time to reduce the number of mailinglists again. IMHO it doesnt hurt to have this thread on gentoo-dev and the volume of messages and their tone here has been sufficiently normal to again allow for more subjects. just my 2 cents kind regards Thilo Sure but doing that should be done by opening a new thread and gathering opinions. Until then we should follow the agreed rules. Regards, Petteri
Re: [gentoo-dev] RFC: Moving more developer data to LDAP, for scalability/redundancy (away, foward, permissive, SMTP password, plan) [WAS: Suggestion to ask devs to change their bugzilla name]
On Friday 11 June 2010 06:27:26 Robin H. Johnson wrote: Related to integration of that, I would like opinions on moving some data from developer home directories into LDAP. I already placed the SPF data straight into LDAP, since I needed to be able to reach it from another machine anyway. +1, I strongly believe that LDAP is the answer Cons: - complaints that LDAP is too hard to use. I don't agree with that, but just out of curiosity, is it possible to use a web interface? phpldapadmin or something Bonus plans: - Maybe move mail aliases to LDAP? We'd lose comments :-(. +1 on that too -- Theo Chatzimichos (tampakrap) Gentoo KDE, Qt, SGML, Overlays, Planet Teams blog.tampakrap.gr signature.asc Description: This is a digitally signed message part.
