DevHeads.net

Just curious about accounts on the cbs

Just wondering what authentication software you were looking at.

These days, I've found FreeIPA to be surprisingly feature rich (and
bundled with the OS!).
-LDAP
-Kerberos
-Certificates
-Multi-Master replication
-Password policies

All built in!

There is a Samba hook too, but I'm not sure that is relevant here....

The FreeIPA devs are also very nice people who've been receptive to
feature requests.

Mostly I'm just curious what people are thinking .....

Pat

Comments

Re: Just curious about accounts on the cbs

By Jim Perrin at 06/27/2014 - 11:02

On 06/27/2014 08:30 AM, Pat Riehecky wrote:

So, I've been looking at this for a while, though 7 has kinda slowed
things down. There are essentially 2 authentication systems that would
work for our needs. FAS and FreeIPA. FreeIPA to me seems the most
documented and robust, but there are a couple issues that we would need
to address.

For our needs, users would need to be able to register and
self-administer (in limited capacity) without admin interaction. So to
do this we'd need captcha or email click-thru account verification. I'm
not overly picky, so long as it presents a significant barrier to common
internet miscreants.

Additionally, we would need some form of password reset validation
(likely also email click-thru validation) so that project folks don't
become full-time password reset experts.

I've spoken with Nathaniel McCallum and Dmitri Pal about this, and
they're certainly interested in such things, however they don't appear
to have the cycles to work on adding these features.

Beyond the development, the only place where this plan falls down is
with user based ssl/x509 certs. While the tools within FreeIPA have the
ability to do this, it's not exposed in an overly user-friendly (and
mostly hands-off) manner. If we're building using git hooks and only
git needs a cert, then it's not a big deal. If we're doing user-driven
scratch builds, then this either means we have another bit to develop or
we look at FAS.

Comments/thoughts?

Re: Just curious about accounts on the cbs

By Jim Perrin at 06/27/2014 - 11:04

Replying to (and top-posting) myself to clarify:

The idea here is to provide a single unified login for the build system,
bugs, forums, etc. This allows us group and permissions flexibility as
well as being able to promote users via a merit-based structure, as well
as allowing SIG leaders to maintain their own groups and independence.

On 06/27/2014 10:02 AM, Jim Perrin wrote: