Replying to (and top-posting) myself to clarify: The idea here is to provide a single unified login for the build system, bugs, forums, etc. This allows us group and permissions flexibility as well as being able to promote users via a merit-based structure, as well as allowing SIG leaders to maintain their own groups and independence. On 06/27/2014 10:02 AM, Jim Perrin wrote: > > > On 06/27/2014 08:30 AM, Pat Riehecky wrote: >> Just wondering what authentication software you were looking at. >> >> These days, I've found FreeIPA to be surprisingly feature rich (and >> bundled with the OS!). >> -LDAP >> -Kerberos >> -Certificates >> -Multi-Master replication >> -Password policies >> >> All built in! >> >> There is a Samba hook too, but I'm not sure that is relevant here.... >> >> The FreeIPA devs are also very nice people who've been receptive to >> feature requests. >> >> Mostly I'm just curious what people are thinking ..... >> >> Pat >> > > > So, I've been looking at this for a while, though 7 has kinda slowed > things down. There are essentially 2 authentication systems that would > work for our needs. FAS and FreeIPA. FreeIPA to me seems the most > documented and robust, but there are a couple issues that we would need > to address. > > For our needs, users would need to be able to register and > self-administer (in limited capacity) without admin interaction. So to > do this we'd need captcha or email click-thru account verification. I'm > not overly picky, so long as it presents a significant barrier to common > internet miscreants. > > Additionally, we would need some form of password reset validation > (likely also email click-thru validation) so that project folks don't > become full-time password reset experts. > > I've spoken with Nathaniel McCallum and Dmitri Pal about this, and > they're certainly interested in such things, however they don't appear > to have the cycles to work on adding these features. > > > Beyond the development, the only place where this plan falls down is > with user based ssl/x509 certs. While the tools within FreeIPA have the > ability to do this, it's not exposed in an overly user-friendly (and > mostly hands-off) manner. If we're building using git hooks and only > git needs a cert, then it's not a big deal. If we're doing user-driven > scratch builds, then this either means we have another bit to develop or > we look at FAS. > > > Comments/thoughts? > > -- Jim Perrin The CentOS Project | http://www.centos.org twitter: @BitIntegrity | GPG Key: FA09AD77