[Da-tools-discuss] ideas for LDAP use
Marc 'HE' Brockschmidt
he at ftwca.de
Thu Dec 27 13:47:36 UTC 2007
Stephen Gran <sgran at debian.org> writes:
> So I was looking through the schema currently in use, and at how ud-ldap
> uses it. Some first impressions:
>
> Groups in the users tree: yuck
ACK.
> We are overloading some attributes instead of using new attributes to
> transmit information. For example, we mark the userPassword field with
> LK if an account is locked - we could just create a new attribute that
> tells us the account is locked.
Yes.
> We are not mandating several attributes for developer accounts that we
> really should be mandating (keyFingerprint springs to mind here).
Actually, in the turmzimmer.net setup, we have some cases of accounts
without a fingerprint (actual user accounts!)...
> It seems that this is because we keep old accounts around forever, and
> some of those old accounts won't have a key, so we can't mandate it
> moving forward. We could just create a new objectClass
> debianDeveloperEmeritus or something that has relaxed must's, and make
> the debianDeveloper one make more sense. It also strikes me that this
> might be an easy way to handle the locked account case above as well.
Sounds like a good idea, but this change is so disruptive that I would
love to hear from DSA (ie, weasel) about this before actually going
forward with it.
Marc
--
BOFH #365:
parallel processors running perpendicular today
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/da-tools-discuss/attachments/20071227/7dfd49b7/attachment.pgp
More information about the Da-tools-discuss
mailing list