[CentOS-devel] Just curious about accounts on the cbs

Fri Jun 27 15:02:08 UTC 2014
Jim Perrin <jperrin at centos.org>


On 06/27/2014 08:30 AM, Pat Riehecky wrote:
> Just wondering what authentication software you were looking at.
> 
> These days, I've found FreeIPA to be surprisingly feature rich (and 
> bundled with the OS!).
> -LDAP
> -Kerberos
> -Certificates
> -Multi-Master replication
> -Password policies
> 
> All built in!
> 
> There is a Samba hook too, but I'm not sure that is relevant here....
> 
> The FreeIPA devs are also very nice people who've been receptive to 
> feature requests.
> 
> Mostly I'm just curious what people are thinking .....
> 
> Pat
> 


So, I've been looking at this for a while, though 7 has kinda slowed
things down. There are essentially 2 authentication systems that would
work for our needs. FAS and FreeIPA. FreeIPA to me seems the most
documented and robust, but there are a couple issues that we would need
to address.

For our needs, users would need to be able to register and
self-administer (in limited capacity) without admin interaction. So to
do this we'd need captcha or email click-thru account verification. I'm
not overly picky, so long as it presents a significant barrier to common
internet miscreants.

Additionally, we would need some form of password reset validation
(likely also email click-thru validation) so that project folks don't
become full-time password reset experts.

I've spoken with Nathaniel McCallum and Dmitri Pal about this, and
they're certainly interested in such things, however they don't appear
to have the cycles to work on adding these features.


Beyond the development, the only place where this plan falls down is
with user based ssl/x509 certs. While the tools within FreeIPA have the
ability to do this, it's not exposed in an overly user-friendly (and
mostly hands-off) manner.  If we're building using git hooks and only
git needs a cert, then it's not a big deal. If we're doing user-driven
scratch builds, then this either means we have another bit to develop or
we look at FAS.


Comments/thoughts?


-- 
Jim Perrin
The CentOS Project | http://www.centos.org
twitter: @BitIntegrity | GPG Key: FA09AD77