You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-dev@apache.org by Emmanuel Lécharny <el...@apache.org> on 2009/03/31 01:03:18 UTC
Re: LDAP plans
Tony Stevenson wrote:
> Exactly!
>
> If you are clr in the iclas.txt, then you will be in LDAP too. If
> however your not (and I know you are) then you wont.
>
> SImple, heh?
Remember that LDAP is not a flat file. 'clr' will be put somewhere like
'cn=clr, ou=committers, dc=apache, dc=org', where the only clr we will
have will be our old good fellow Craig Russel ! In Jira, as it's more
open to others, we may have a 'clr' too, but either you are using
another acronym in JIRA already -let's say it's crlr -, then you will be
identified as 'cn=crlr, ou=jira, dc=apache, dc=org'. We then can create
internal links from one entry to another to get a clue about who really
is crlr (like, a asf-commiter attributeType for a JiraUser objectClass,
pointing to your entry in ou=committers).
We have options. We just need to know what to do.
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
LDAP - a simple script that may help with initial account creation
Posted by chris <ch...@ia.gov>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tony,
This may be useful to you. No frills script to parse master.password, iclas, and add accounts to LDAP if they are not
already there. I made some assumptions on what you might want to pull to LDAP. Feel free to alter this to fit your
needs or poke at me and I will enhance/change it however you like.
grab it here http://arreyder.com/pass2ldap.pl
crr/arreyder
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAknU+QEACgkQPmaZdRmQd+aluwCeL7pLnNoOoooKik2zlWkvcpyB
XqUAnA3XetzYoXJIzPwvHRdXYjbPBXIQ
=wmlH
-----END PGP SIGNATURE-----
Re: LDAP - a simple script that may help with initial account
creation
Posted by Santiago Gala <sa...@gmail.com>.
El mar, 07-04-2009 a las 08:24 -0700, Paul Querna escribió:
> On Tue, Apr 7, 2009 at 6:14 AM, sebb <se...@gmail.com> wrote:
> > On 07/04/2009, Tony Stevenson <to...@pc-tony.com> wrote:
> >>
> >> Thanks for that.
> >>
> >> For those that do not have an ICLA on file, their account will not get
> >> auto-created. When (or if) they contact us, we can move to resolve these on
> >> a case-by-case basis.
> >> No one should have access to any of our infrastructure wihtout an ICLA on
> >> file.
> >
> > Apart from the exceptions listed in noclas.txt?
> >
> > There are some people who don't contribute code.
>
> yeah, there is at least one or two members who have never submitted
> code -- I think we need the hasICLA field in ldap to be the access
> control for svn -- But i guess those people in theory could still get
> email etc services.
>
I would be courteous with someone that has been elected members. I mean,
membership implies trust and, if they commit without ICLA their commits
could be reverted... though it can be forgotten for a time.
At least, checking the user ids against asf-authorisation to see what
services are going to be broken and warning them could be a possibility.
I think it is not the same case as those people, old committers, whose
account got closed because they were not located or refused to sign an
ICLA, back when.
> Thoughts?
My previous paragraphs should be here and not above :)
Regards
Santiago
Re: LDAP - a simple script that may help with initial account
creation
Posted by Paul Querna <pa...@querna.org>.
On Tue, Apr 7, 2009 at 6:14 AM, sebb <se...@gmail.com> wrote:
> On 07/04/2009, Tony Stevenson <to...@pc-tony.com> wrote:
>>
>> Thanks for that.
>>
>> For those that do not have an ICLA on file, their account will not get
>> auto-created. When (or if) they contact us, we can move to resolve these on
>> a case-by-case basis.
>> No one should have access to any of our infrastructure wihtout an ICLA on
>> file.
>
> Apart from the exceptions listed in noclas.txt?
>
> There are some people who don't contribute code.
yeah, there is at least one or two members who have never submitted
code -- I think we need the hasICLA field in ldap to be the access
control for svn -- But i guess those people in theory could still get
email etc services.
Thoughts?
Re: LDAP - a simple script that may help with initial account
creation
Posted by sebb <se...@gmail.com>.
On 07/04/2009, Tony Stevenson <to...@pc-tony.com> wrote:
>
> Thanks for that.
>
> For those that do not have an ICLA on file, their account will not get
> auto-created. When (or if) they contact us, we can move to resolve these on
> a case-by-case basis.
> No one should have access to any of our infrastructure wihtout an ICLA on
> file.
Apart from the exceptions listed in noclas.txt?
There are some people who don't contribute code.
> I am sure this can be brought up in an email to committers@ - Before we
> move to LDAP.
>
> No rush just yet. Paul, ISTR you agreeing with me that no ICLA precludes
> folks from getting an account.
>
>
>
>
>
>
> On 7 Apr 2009, at 13:45, sebb wrote:
>
>
> > On 07/04/2009, Tony Stevenson <to...@pc-tony.com> wrote:
> >
> > > I have now used this to import all users into ldap.
> > >
> > >
> > > **Skipped 162 entries due to no match for loginID in ICLAS.
> > > **Skipped 0 because loginid was already found as a uid in LDAP.
> > > **Attempted to make 1975 entries to LDAP.
> > >
> > >
> > > So we now have a way to import all users from /etc/master.passwd - As
> for
> > > the 162 failed imports, I am working my way through those to see if it
> is a
> > > scripting issue, or as it seems more likely an issue with there
> iclas.txt
> > >
> >
> > There are a few active entries in passwd which don't have entries in
> > iclas.txt; these are marked as exceptions in noclas.txt
> >
> > However there are a lot of disabled passwd entries, these don't always
> > have entries in iclas.txt.
> >
> > There is a script I wrote to check authorization, iclas and passwd at:
> >
> >
> https://svn.apache.org/repos/asf/infrastructure/trunk/tools/validation
> >
> > perl -w authcheck.pl
> -auth=authorization/asf-authorization
> > -iclas=officers/iclas.txt
> >
> > This requires a work sub-directory which should contain a copy of
> > passwd if you want to check against it.
> >
> > Output is to the work directory.
> >
> >
> > >
> > > Chris, thanks again for your help and perl-y fu.
> > >
> > >
> > > I am now working on testing LDAP access from FreeBSD (PAM/NSS_LDAP) and
> > > from Solaris (httpd module)
> > >
> > >
> > > Cheers,
> > > Tony
> > >
> > >
> > >
> > >
> > >
> > > On 5 Apr 2009, at 20:49, chris wrote:
> > >
> > >
> > >
> > > >
> > > >
> > > >
> > > > >
> > > > >
> > > > > > Is the user's public name going to be part of the LDAP database?
> > > > > > If so, the /etc/passwd file is likely to be the best source, as
> users
> > > > > > can correct this, unlike ICLAS.
> > > > > >
> > > > > >
> > > > > Exactly.
> > > > >
> > > > >
> > > >
> > > > So pull from gecos field then. What all do you guys have in there,
> just
> > > >
> > > the full name? That field is often populated by a "," separated list of
> > > stuff.
> > >
> > > >
> > > >
> > > >
> > > > > We will use the mail address from .forward as that is the file we
> honour
> > > > >
> > > >
> > > for all userid@apache.org addresses. Now some folks don't forward their
> > > mail on, they collect it. But that is ok too.
> > >
> > > >
> > > > > Folks are most likely to maintain this address as that is ultimately
> the
> > > > >
> > > >
> > > way they get to read their email. :-)
> > >
> > > >
> > > > >
> > > > >
> > > >
> > > > Done. If .forward is unreadable or empty this is left undefined.
> > > > Latest revision is here
> http://arreyder.com/pass2ldap.pl
> > > >
> > > > crr/arreyder
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > Cheers,
> > > Tony
> > >
> > >
> > > -----------------------------------------
> > > Tony Stevenson
> > > tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
> > > http://blog.pc-tony.com/
> > >
> > > 1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
> > > -----------------------------------------
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
>
>
>
> Cheers,
> Tony
>
>
> -----------------------------------------
> Tony Stevenson
> tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
> http://blog.pc-tony.com/
>
> 1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
> -----------------------------------------
>
>
>
>
>
>
Re: LDAP - a simple script that may help with initial account creation
Posted by Tony Stevenson <to...@pc-tony.com>.
Thanks for that.
For those that do not have an ICLA on file, their account will not get
auto-created. When (or if) they contact us, we can move to resolve
these on a case-by-case basis.
No one should have access to any of our infrastructure wihtout an ICLA
on file.
I am sure this can be brought up in an email to committers@ - Before
we move to LDAP.
No rush just yet. Paul, ISTR you agreeing with me that no ICLA
precludes folks from getting an account.
On 7 Apr 2009, at 13:45, sebb wrote:
> On 07/04/2009, Tony Stevenson <to...@pc-tony.com> wrote:
>> I have now used this to import all users into ldap.
>>
>>
>> **Skipped 162 entries due to no match for loginID in ICLAS.
>> **Skipped 0 because loginid was already found as a uid in LDAP.
>> **Attempted to make 1975 entries to LDAP.
>>
>>
>> So we now have a way to import all users from /etc/master.passwd -
>> As for
>> the 162 failed imports, I am working my way through those to see if
>> it is a
>> scripting issue, or as it seems more likely an issue with there
>> iclas.txt
>
> There are a few active entries in passwd which don't have entries in
> iclas.txt; these are marked as exceptions in noclas.txt
>
> However there are a lot of disabled passwd entries, these don't always
> have entries in iclas.txt.
>
> There is a script I wrote to check authorization, iclas and passwd at:
>
> https://svn.apache.org/repos/asf/infrastructure/trunk/tools/validation
>
> perl -w authcheck.pl -auth=authorization/asf-authorization
> -iclas=officers/iclas.txt
>
> This requires a work sub-directory which should contain a copy of
> passwd if you want to check against it.
>
> Output is to the work directory.
>
>>
>> Chris, thanks again for your help and perl-y fu.
>>
>>
>> I am now working on testing LDAP access from FreeBSD (PAM/NSS_LDAP)
>> and
>> from Solaris (httpd module)
>>
>>
>> Cheers,
>> Tony
>>
>>
>>
>>
>>
>> On 5 Apr 2009, at 20:49, chris wrote:
>>
>>
>>>
>>>
>>>>
>>>>> Is the user's public name going to be part of the LDAP database?
>>>>> If so, the /etc/passwd file is likely to be the best source, as
>>>>> users
>>>>> can correct this, unlike ICLAS.
>>>>>
>>>> Exactly.
>>>>
>>>
>>> So pull from gecos field then. What all do you guys have in
>>> there, just
>> the full name? That field is often populated by a "," separated
>> list of
>> stuff.
>>>
>>>
>>>> We will use the mail address from .forward as that is the file we
>>>> honour
>> for all userid@apache.org addresses. Now some folks don't forward
>> their
>> mail on, they collect it. But that is ok too.
>>>> Folks are most likely to maintain this address as that is
>>>> ultimately the
>> way they get to read their email. :-)
>>>>
>>>
>>> Done. If .forward is unreadable or empty this is left undefined.
>>> Latest revision is here http://arreyder.com/pass2ldap.pl
>>>
>>> crr/arreyder
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>> Cheers,
>> Tony
>>
>>
>> -----------------------------------------
>> Tony Stevenson
>> tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
>> http://blog.pc-tony.com/
>>
>> 1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
>> -----------------------------------------
>>
>>
>>
>>
>>
>>
Cheers,
Tony
-----------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
http://blog.pc-tony.com/
1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
-----------------------------------------
Re: LDAP - a simple script that may help with initial account
creation
Posted by sebb <se...@gmail.com>.
On 07/04/2009, Tony Stevenson <to...@pc-tony.com> wrote:
> I have now used this to import all users into ldap.
>
>
> **Skipped 162 entries due to no match for loginID in ICLAS.
> **Skipped 0 because loginid was already found as a uid in LDAP.
> **Attempted to make 1975 entries to LDAP.
>
>
> So we now have a way to import all users from /etc/master.passwd - As for
> the 162 failed imports, I am working my way through those to see if it is a
> scripting issue, or as it seems more likely an issue with there iclas.txt
There are a few active entries in passwd which don't have entries in
iclas.txt; these are marked as exceptions in noclas.txt
However there are a lot of disabled passwd entries, these don't always
have entries in iclas.txt.
There is a script I wrote to check authorization, iclas and passwd at:
https://svn.apache.org/repos/asf/infrastructure/trunk/tools/validation
perl -w authcheck.pl -auth=authorization/asf-authorization
-iclas=officers/iclas.txt
This requires a work sub-directory which should contain a copy of
passwd if you want to check against it.
Output is to the work directory.
>
> Chris, thanks again for your help and perl-y fu.
>
>
> I am now working on testing LDAP access from FreeBSD (PAM/NSS_LDAP) and
> from Solaris (httpd module)
>
>
> Cheers,
> Tony
>
>
>
>
>
> On 5 Apr 2009, at 20:49, chris wrote:
>
>
> >
> >
> > >
> > > > Is the user's public name going to be part of the LDAP database?
> > > > If so, the /etc/passwd file is likely to be the best source, as users
> > > > can correct this, unlike ICLAS.
> > > >
> > > Exactly.
> > >
> >
> > So pull from gecos field then. What all do you guys have in there, just
> the full name? That field is often populated by a "," separated list of
> stuff.
> >
> >
> > > We will use the mail address from .forward as that is the file we honour
> for all userid@apache.org addresses. Now some folks don't forward their
> mail on, they collect it. But that is ok too.
> > > Folks are most likely to maintain this address as that is ultimately the
> way they get to read their email. :-)
> > >
> >
> > Done. If .forward is unreadable or empty this is left undefined.
> > Latest revision is here http://arreyder.com/pass2ldap.pl
> >
> > crr/arreyder
> >
> >
> >
> >
> >
> >
>
>
>
> Cheers,
> Tony
>
>
> -----------------------------------------
> Tony Stevenson
> tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
> http://blog.pc-tony.com/
>
> 1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
> -----------------------------------------
>
>
>
>
>
>
Re: LDAP - a simple script that may help with initial account
creation
Posted by Emmanuel Lecharny <el...@apache.org>.
On Tue, Apr 7, 2009 at 2:32 PM, Tony Stevenson <to...@pc-tony.com> wrote:
> I have now used this to import all users into ldap.
>
>
> **Skipped 162 entries due to no match for loginID in ICLAS.
> **Skipped 0 because loginid was already found as a uid in LDAP.
> **Attempted to make 1975 entries to LDAP.
>
>
> So we now have a way to import all users from /etc/master.passwd - As for
> the 162 failed imports, I am working my way through those to see if it is a
> scripting issue, or as it seems more likely an issue with there iclas.txt
When I did the same thing (by hand), I found many duplicated entries
too. Some of them were simply due to some mispelled users (for
instance, mactony instead of pctony).
I guess that some cleaning has to be done at some point. It's easier
to deal with 162 wrong entries than with 2000 !
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: LDAP - a simple script that may help with initial account creation
Posted by Tony Stevenson <to...@pc-tony.com>.
I have now used this to import all users into ldap.
**Skipped 162 entries due to no match for loginID in ICLAS.
**Skipped 0 because loginid was already found as a uid in LDAP.
**Attempted to make 1975 entries to LDAP.
So we now have a way to import all users from /etc/master.passwd - As
for the 162 failed imports, I am working my way through those to see
if it is a scripting issue, or as it seems more likely an issue with
there iclas.txt
Chris, thanks again for your help and perl-y fu.
I am now working on testing LDAP access from FreeBSD (PAM/NSS_LDAP)
and from Solaris (httpd module)
Cheers,
Tony
On 5 Apr 2009, at 20:49, chris wrote:
>
>>> Is the user's public name going to be part of the LDAP database?
>>> If so, the /etc/passwd file is likely to be the best source, as
>>> users
>>> can correct this, unlike ICLAS.
>> Exactly.
>
> So pull from gecos field then. What all do you guys have in there,
> just the full name? That field is often populated by a ","
> separated list of stuff.
>
>> We will use the mail address from .forward as that is the file we
>> honour for all userid@apache.org addresses. Now some folks don't
>> forward their mail on, they collect it. But that is ok too.
>> Folks are most likely to maintain this address as that is
>> ultimately the way they get to read their email. :-)
>
> Done. If .forward is unreadable or empty this is left undefined.
> Latest revision is here http://arreyder.com/pass2ldap.pl
>
> crr/arreyder
>
>
>
>
>
Cheers,
Tony
-----------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
http://blog.pc-tony.com/
1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
-----------------------------------------
Re: LDAP - a simple script that may help with initial account creation
Posted by chris <ch...@ia.gov>.
>> Is the user's public name going to be part of the LDAP database?
>> If so, the /etc/passwd file is likely to be the best source, as users
>> can correct this, unlike ICLAS.
> Exactly.
So pull from gecos field then. What all do you guys have in there,
just the full name? That field is often populated by a "," separated
list of stuff.
> We will use the mail address from .forward as that is the file we
> honour for all userid@apache.org addresses. Now some folks don't
> forward their mail on, they collect it. But that is ok too.
> Folks are most likely to maintain this address as that is ultimately
> the way they get to read their email. :-)
Done. If .forward is unreadable or empty this is left undefined.
Latest revision is here http://arreyder.com/pass2ldap.pl
crr/arreyder
Re: LDAP - a simple script that may help with initial account creation
Posted by Tony Stevenson <to...@pc-tony.com>.
On 4 Apr 2009, at 13:05, sebb wrote:
> On 04/04/2009, chris <ch...@ia.gov> wrote:
>> Sorry, server was down for a bit due to complications with my mail
>> archive
>> re-filtering project. (Oops)
>>
>> It's back up now and the script has some modifications requested by
>> Tony.
>> Added harvesting of uidNumber, gidNumber, homeDirectory and
>> extended the
>> objectclass to include posixAccount to accommodate those attributes.
>>
>> grab it here http://arreyder.com/pass2ldap.pl
>
> Is the user's public name going to be part of the LDAP database?
> If so, the /etc/passwd file is likely to be the best source, as users
> can correct this, unlike ICLAS.
Exactly.
>
> Also, note that the e-mail listed in ICLAS is often not the one used
> in the .forward file (and may not be accurate anyway, as some of the
> ICLAs are very hard to read).
We will use the mail address from .forward as that is the file we
honour for all userid@apache.org addresses. Now some folks don't
forward their mail on, they collect it. But that is ok too.
Folks are most likely to maintain this address as that is ultimately
the way they get to read their email. :-)
>> I'll get a proper svn archive going in a bit.
>>
>> crr/arreyder
>>
>>
>>
Cheers,
Tony
-----------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
http://blog.pc-tony.com/
1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
-----------------------------------------
Re: LDAP - a simple script that may help with initial account
creation
Posted by sebb <se...@gmail.com>.
On 04/04/2009, chris <ch...@ia.gov> wrote:
> Sorry, server was down for a bit due to complications with my mail archive
> re-filtering project. (Oops)
>
> It's back up now and the script has some modifications requested by Tony.
> Added harvesting of uidNumber, gidNumber, homeDirectory and extended the
> objectclass to include posixAccount to accommodate those attributes.
>
> grab it here http://arreyder.com/pass2ldap.pl
Is the user's public name going to be part of the LDAP database?
If so, the /etc/passwd file is likely to be the best source, as users
can correct this, unlike ICLAS.
Also, note that the e-mail listed in ICLAS is often not the one used
in the .forward file (and may not be accurate anyway, as some of the
ICLAs are very hard to read).
The e-mail addresses stored in
https://svn.apache.org/repos/private/committers/MailAlias.txt
and
https://svn.apache.org/repos/private/foundation/members.txt
are likely to be more up-to-date, however there are multiple values
for each user. Maybe the e-mail from ICLAS could be validated against
those?
> I'll get a proper svn archive going in a bit.
>
> crr/arreyder
>
>
>
Re: LDAP - a simple script that may help with initial account creation
Posted by chris <ch...@ia.gov>.
Sorry, server was down for a bit due to complications with my mail archive re-filtering project. (Oops)
It's back up now and the script has some modifications requested by Tony. Added harvesting of uidNumber, gidNumber, homeDirectory and extended the objectclass to include posixAccount to accommodate those attributes.
grab it here http://arreyder.com/pass2ldap.pl
I'll get a proper svn archive going in a bit.
crr/arreyder