Replying to (and top-posting) myself to clarify:
The idea here is to provide a single unified login for the build system, bugs, forums, etc. This allows us group and permissions flexibility as well as being able to promote users via a merit-based structure, as well as allowing SIG leaders to maintain their own groups and independence.
On 06/27/2014 10:02 AM, Jim Perrin wrote:
On 06/27/2014 08:30 AM, Pat Riehecky wrote:
Just wondering what authentication software you were looking at.
These days, I've found FreeIPA to be surprisingly feature rich (and bundled with the OS!). -LDAP -Kerberos -Certificates -Multi-Master replication -Password policies
All built in!
There is a Samba hook too, but I'm not sure that is relevant here....
The FreeIPA devs are also very nice people who've been receptive to feature requests.
Mostly I'm just curious what people are thinking .....
Pat
So, I've been looking at this for a while, though 7 has kinda slowed things down. There are essentially 2 authentication systems that would work for our needs. FAS and FreeIPA. FreeIPA to me seems the most documented and robust, but there are a couple issues that we would need to address.
For our needs, users would need to be able to register and self-administer (in limited capacity) without admin interaction. So to do this we'd need captcha or email click-thru account verification. I'm not overly picky, so long as it presents a significant barrier to common internet miscreants.
Additionally, we would need some form of password reset validation (likely also email click-thru validation) so that project folks don't become full-time password reset experts.
I've spoken with Nathaniel McCallum and Dmitri Pal about this, and they're certainly interested in such things, however they don't appear to have the cycles to work on adding these features.
Beyond the development, the only place where this plan falls down is with user based ssl/x509 certs. While the tools within FreeIPA have the ability to do this, it's not exposed in an overly user-friendly (and mostly hands-off) manner. If we're building using git hooks and only git needs a cert, then it's not a big deal. If we're doing user-driven scratch builds, then this either means we have another bit to develop or we look at FAS.
Comments/thoughts?