[CentOS-devel] Just curious about accounts on the cbs

Fri Jun 27 15:04:42 UTC 2014
Jim Perrin <jperrin at centos.org>

Replying to (and top-posting) myself to clarify:

The idea here is to provide a single unified login for the build system,
bugs, forums, etc. This allows us group and permissions flexibility as
well as being able to promote users via a merit-based structure, as well
as allowing SIG leaders to maintain their own groups and independence.

On 06/27/2014 10:02 AM, Jim Perrin wrote:
> 
> 
> On 06/27/2014 08:30 AM, Pat Riehecky wrote:
>> Just wondering what authentication software you were looking at.
>>
>> These days, I've found FreeIPA to be surprisingly feature rich (and 
>> bundled with the OS!).
>> -LDAP
>> -Kerberos
>> -Certificates
>> -Multi-Master replication
>> -Password policies
>>
>> All built in!
>>
>> There is a Samba hook too, but I'm not sure that is relevant here....
>>
>> The FreeIPA devs are also very nice people who've been receptive to 
>> feature requests.
>>
>> Mostly I'm just curious what people are thinking .....
>>
>> Pat
>>
> 
> 
> So, I've been looking at this for a while, though 7 has kinda slowed
> things down. There are essentially 2 authentication systems that would
> work for our needs. FAS and FreeIPA. FreeIPA to me seems the most
> documented and robust, but there are a couple issues that we would need
> to address.
> 
> For our needs, users would need to be able to register and
> self-administer (in limited capacity) without admin interaction. So to
> do this we'd need captcha or email click-thru account verification. I'm
> not overly picky, so long as it presents a significant barrier to common
> internet miscreants.
> 
> Additionally, we would need some form of password reset validation
> (likely also email click-thru validation) so that project folks don't
> become full-time password reset experts.
> 
> I've spoken with Nathaniel McCallum and Dmitri Pal about this, and
> they're certainly interested in such things, however they don't appear
> to have the cycles to work on adding these features.
> 
> 
> Beyond the development, the only place where this plan falls down is
> with user based ssl/x509 certs. While the tools within FreeIPA have the
> ability to do this, it's not exposed in an overly user-friendly (and
> mostly hands-off) manner.  If we're building using git hooks and only
> git needs a cert, then it's not a big deal. If we're doing user-driven
> scratch builds, then this either means we have another bit to develop or
> we look at FAS.
> 
> 
> Comments/thoughts?
> 
> 

-- 
Jim Perrin
The CentOS Project | http://www.centos.org
twitter: @BitIntegrity | GPG Key: FA09AD77