You are viewing a plain text version of this content. The canonical link for it is here.
Posted to infrastructure-dev@apache.org by sebb <se...@gmail.com> on 2009/04/04 14:05:23 UTC
Re: LDAP - a simple script that may help with initial account
creation
On 04/04/2009, chris <ch...@ia.gov> wrote:
> Sorry, server was down for a bit due to complications with my mail archive
> re-filtering project. (Oops)
>
> It's back up now and the script has some modifications requested by Tony.
> Added harvesting of uidNumber, gidNumber, homeDirectory and extended the
> objectclass to include posixAccount to accommodate those attributes.
>
> grab it here http://arreyder.com/pass2ldap.pl
Is the user's public name going to be part of the LDAP database?
If so, the /etc/passwd file is likely to be the best source, as users
can correct this, unlike ICLAS.
Also, note that the e-mail listed in ICLAS is often not the one used
in the .forward file (and may not be accurate anyway, as some of the
ICLAs are very hard to read).
The e-mail addresses stored in
https://svn.apache.org/repos/private/committers/MailAlias.txt
and
https://svn.apache.org/repos/private/foundation/members.txt
are likely to be more up-to-date, however there are multiple values
for each user. Maybe the e-mail from ICLAS could be validated against
those?
> I'll get a proper svn archive going in a bit.
>
> crr/arreyder
>
>
>
Re: LDAP - a simple script that may help with initial account
creation
Posted by Santiago Gala <sa...@gmail.com>.
El mar, 07-04-2009 a las 08:24 -0700, Paul Querna escribió:
> On Tue, Apr 7, 2009 at 6:14 AM, sebb <se...@gmail.com> wrote:
> > On 07/04/2009, Tony Stevenson <to...@pc-tony.com> wrote:
> >>
> >> Thanks for that.
> >>
> >> For those that do not have an ICLA on file, their account will not get
> >> auto-created. When (or if) they contact us, we can move to resolve these on
> >> a case-by-case basis.
> >> No one should have access to any of our infrastructure wihtout an ICLA on
> >> file.
> >
> > Apart from the exceptions listed in noclas.txt?
> >
> > There are some people who don't contribute code.
>
> yeah, there is at least one or two members who have never submitted
> code -- I think we need the hasICLA field in ldap to be the access
> control for svn -- But i guess those people in theory could still get
> email etc services.
>
I would be courteous with someone that has been elected members. I mean,
membership implies trust and, if they commit without ICLA their commits
could be reverted... though it can be forgotten for a time.
At least, checking the user ids against asf-authorisation to see what
services are going to be broken and warning them could be a possibility.
I think it is not the same case as those people, old committers, whose
account got closed because they were not located or refused to sign an
ICLA, back when.
> Thoughts?
My previous paragraphs should be here and not above :)
Regards
Santiago
Re: LDAP - a simple script that may help with initial account
creation
Posted by Paul Querna <pa...@querna.org>.
On Tue, Apr 7, 2009 at 6:14 AM, sebb <se...@gmail.com> wrote:
> On 07/04/2009, Tony Stevenson <to...@pc-tony.com> wrote:
>>
>> Thanks for that.
>>
>> For those that do not have an ICLA on file, their account will not get
>> auto-created. When (or if) they contact us, we can move to resolve these on
>> a case-by-case basis.
>> No one should have access to any of our infrastructure wihtout an ICLA on
>> file.
>
> Apart from the exceptions listed in noclas.txt?
>
> There are some people who don't contribute code.
yeah, there is at least one or two members who have never submitted
code -- I think we need the hasICLA field in ldap to be the access
control for svn -- But i guess those people in theory could still get
email etc services.
Thoughts?
Re: LDAP - a simple script that may help with initial account
creation
Posted by sebb <se...@gmail.com>.
On 07/04/2009, Tony Stevenson <to...@pc-tony.com> wrote:
>
> Thanks for that.
>
> For those that do not have an ICLA on file, their account will not get
> auto-created. When (or if) they contact us, we can move to resolve these on
> a case-by-case basis.
> No one should have access to any of our infrastructure wihtout an ICLA on
> file.
Apart from the exceptions listed in noclas.txt?
There are some people who don't contribute code.
> I am sure this can be brought up in an email to committers@ - Before we
> move to LDAP.
>
> No rush just yet. Paul, ISTR you agreeing with me that no ICLA precludes
> folks from getting an account.
>
>
>
>
>
>
> On 7 Apr 2009, at 13:45, sebb wrote:
>
>
> > On 07/04/2009, Tony Stevenson <to...@pc-tony.com> wrote:
> >
> > > I have now used this to import all users into ldap.
> > >
> > >
> > > **Skipped 162 entries due to no match for loginID in ICLAS.
> > > **Skipped 0 because loginid was already found as a uid in LDAP.
> > > **Attempted to make 1975 entries to LDAP.
> > >
> > >
> > > So we now have a way to import all users from /etc/master.passwd - As
> for
> > > the 162 failed imports, I am working my way through those to see if it
> is a
> > > scripting issue, or as it seems more likely an issue with there
> iclas.txt
> > >
> >
> > There are a few active entries in passwd which don't have entries in
> > iclas.txt; these are marked as exceptions in noclas.txt
> >
> > However there are a lot of disabled passwd entries, these don't always
> > have entries in iclas.txt.
> >
> > There is a script I wrote to check authorization, iclas and passwd at:
> >
> >
> https://svn.apache.org/repos/asf/infrastructure/trunk/tools/validation
> >
> > perl -w authcheck.pl
> -auth=authorization/asf-authorization
> > -iclas=officers/iclas.txt
> >
> > This requires a work sub-directory which should contain a copy of
> > passwd if you want to check against it.
> >
> > Output is to the work directory.
> >
> >
> > >
> > > Chris, thanks again for your help and perl-y fu.
> > >
> > >
> > > I am now working on testing LDAP access from FreeBSD (PAM/NSS_LDAP) and
> > > from Solaris (httpd module)
> > >
> > >
> > > Cheers,
> > > Tony
> > >
> > >
> > >
> > >
> > >
> > > On 5 Apr 2009, at 20:49, chris wrote:
> > >
> > >
> > >
> > > >
> > > >
> > > >
> > > > >
> > > > >
> > > > > > Is the user's public name going to be part of the LDAP database?
> > > > > > If so, the /etc/passwd file is likely to be the best source, as
> users
> > > > > > can correct this, unlike ICLAS.
> > > > > >
> > > > > >
> > > > > Exactly.
> > > > >
> > > > >
> > > >
> > > > So pull from gecos field then. What all do you guys have in there,
> just
> > > >
> > > the full name? That field is often populated by a "," separated list of
> > > stuff.
> > >
> > > >
> > > >
> > > >
> > > > > We will use the mail address from .forward as that is the file we
> honour
> > > > >
> > > >
> > > for all userid@apache.org addresses. Now some folks don't forward their
> > > mail on, they collect it. But that is ok too.
> > >
> > > >
> > > > > Folks are most likely to maintain this address as that is ultimately
> the
> > > > >
> > > >
> > > way they get to read their email. :-)
> > >
> > > >
> > > > >
> > > > >
> > > >
> > > > Done. If .forward is unreadable or empty this is left undefined.
> > > > Latest revision is here
> http://arreyder.com/pass2ldap.pl
> > > >
> > > > crr/arreyder
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> > > Cheers,
> > > Tony
> > >
> > >
> > > -----------------------------------------
> > > Tony Stevenson
> > > tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
> > > http://blog.pc-tony.com/
> > >
> > > 1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
> > > -----------------------------------------
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
>
>
>
> Cheers,
> Tony
>
>
> -----------------------------------------
> Tony Stevenson
> tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
> http://blog.pc-tony.com/
>
> 1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
> -----------------------------------------
>
>
>
>
>
>
Re: LDAP - a simple script that may help with initial account creation
Posted by Tony Stevenson <to...@pc-tony.com>.
Thanks for that.
For those that do not have an ICLA on file, their account will not get
auto-created. When (or if) they contact us, we can move to resolve
these on a case-by-case basis.
No one should have access to any of our infrastructure wihtout an ICLA
on file.
I am sure this can be brought up in an email to committers@ - Before
we move to LDAP.
No rush just yet. Paul, ISTR you agreeing with me that no ICLA
precludes folks from getting an account.
On 7 Apr 2009, at 13:45, sebb wrote:
> On 07/04/2009, Tony Stevenson <to...@pc-tony.com> wrote:
>> I have now used this to import all users into ldap.
>>
>>
>> **Skipped 162 entries due to no match for loginID in ICLAS.
>> **Skipped 0 because loginid was already found as a uid in LDAP.
>> **Attempted to make 1975 entries to LDAP.
>>
>>
>> So we now have a way to import all users from /etc/master.passwd -
>> As for
>> the 162 failed imports, I am working my way through those to see if
>> it is a
>> scripting issue, or as it seems more likely an issue with there
>> iclas.txt
>
> There are a few active entries in passwd which don't have entries in
> iclas.txt; these are marked as exceptions in noclas.txt
>
> However there are a lot of disabled passwd entries, these don't always
> have entries in iclas.txt.
>
> There is a script I wrote to check authorization, iclas and passwd at:
>
> https://svn.apache.org/repos/asf/infrastructure/trunk/tools/validation
>
> perl -w authcheck.pl -auth=authorization/asf-authorization
> -iclas=officers/iclas.txt
>
> This requires a work sub-directory which should contain a copy of
> passwd if you want to check against it.
>
> Output is to the work directory.
>
>>
>> Chris, thanks again for your help and perl-y fu.
>>
>>
>> I am now working on testing LDAP access from FreeBSD (PAM/NSS_LDAP)
>> and
>> from Solaris (httpd module)
>>
>>
>> Cheers,
>> Tony
>>
>>
>>
>>
>>
>> On 5 Apr 2009, at 20:49, chris wrote:
>>
>>
>>>
>>>
>>>>
>>>>> Is the user's public name going to be part of the LDAP database?
>>>>> If so, the /etc/passwd file is likely to be the best source, as
>>>>> users
>>>>> can correct this, unlike ICLAS.
>>>>>
>>>> Exactly.
>>>>
>>>
>>> So pull from gecos field then. What all do you guys have in
>>> there, just
>> the full name? That field is often populated by a "," separated
>> list of
>> stuff.
>>>
>>>
>>>> We will use the mail address from .forward as that is the file we
>>>> honour
>> for all userid@apache.org addresses. Now some folks don't forward
>> their
>> mail on, they collect it. But that is ok too.
>>>> Folks are most likely to maintain this address as that is
>>>> ultimately the
>> way they get to read their email. :-)
>>>>
>>>
>>> Done. If .forward is unreadable or empty this is left undefined.
>>> Latest revision is here http://arreyder.com/pass2ldap.pl
>>>
>>> crr/arreyder
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>> Cheers,
>> Tony
>>
>>
>> -----------------------------------------
>> Tony Stevenson
>> tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
>> http://blog.pc-tony.com/
>>
>> 1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
>> -----------------------------------------
>>
>>
>>
>>
>>
>>
Cheers,
Tony
-----------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
http://blog.pc-tony.com/
1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
-----------------------------------------
Re: LDAP - a simple script that may help with initial account
creation
Posted by sebb <se...@gmail.com>.
On 07/04/2009, Tony Stevenson <to...@pc-tony.com> wrote:
> I have now used this to import all users into ldap.
>
>
> **Skipped 162 entries due to no match for loginID in ICLAS.
> **Skipped 0 because loginid was already found as a uid in LDAP.
> **Attempted to make 1975 entries to LDAP.
>
>
> So we now have a way to import all users from /etc/master.passwd - As for
> the 162 failed imports, I am working my way through those to see if it is a
> scripting issue, or as it seems more likely an issue with there iclas.txt
There are a few active entries in passwd which don't have entries in
iclas.txt; these are marked as exceptions in noclas.txt
However there are a lot of disabled passwd entries, these don't always
have entries in iclas.txt.
There is a script I wrote to check authorization, iclas and passwd at:
https://svn.apache.org/repos/asf/infrastructure/trunk/tools/validation
perl -w authcheck.pl -auth=authorization/asf-authorization
-iclas=officers/iclas.txt
This requires a work sub-directory which should contain a copy of
passwd if you want to check against it.
Output is to the work directory.
>
> Chris, thanks again for your help and perl-y fu.
>
>
> I am now working on testing LDAP access from FreeBSD (PAM/NSS_LDAP) and
> from Solaris (httpd module)
>
>
> Cheers,
> Tony
>
>
>
>
>
> On 5 Apr 2009, at 20:49, chris wrote:
>
>
> >
> >
> > >
> > > > Is the user's public name going to be part of the LDAP database?
> > > > If so, the /etc/passwd file is likely to be the best source, as users
> > > > can correct this, unlike ICLAS.
> > > >
> > > Exactly.
> > >
> >
> > So pull from gecos field then. What all do you guys have in there, just
> the full name? That field is often populated by a "," separated list of
> stuff.
> >
> >
> > > We will use the mail address from .forward as that is the file we honour
> for all userid@apache.org addresses. Now some folks don't forward their
> mail on, they collect it. But that is ok too.
> > > Folks are most likely to maintain this address as that is ultimately the
> way they get to read their email. :-)
> > >
> >
> > Done. If .forward is unreadable or empty this is left undefined.
> > Latest revision is here http://arreyder.com/pass2ldap.pl
> >
> > crr/arreyder
> >
> >
> >
> >
> >
> >
>
>
>
> Cheers,
> Tony
>
>
> -----------------------------------------
> Tony Stevenson
> tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
> http://blog.pc-tony.com/
>
> 1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
> -----------------------------------------
>
>
>
>
>
>
Re: LDAP - a simple script that may help with initial account
creation
Posted by Emmanuel Lecharny <el...@apache.org>.
On Tue, Apr 7, 2009 at 2:32 PM, Tony Stevenson <to...@pc-tony.com> wrote:
> I have now used this to import all users into ldap.
>
>
> **Skipped 162 entries due to no match for loginID in ICLAS.
> **Skipped 0 because loginid was already found as a uid in LDAP.
> **Attempted to make 1975 entries to LDAP.
>
>
> So we now have a way to import all users from /etc/master.passwd - As for
> the 162 failed imports, I am working my way through those to see if it is a
> scripting issue, or as it seems more likely an issue with there iclas.txt
When I did the same thing (by hand), I found many duplicated entries
too. Some of them were simply due to some mispelled users (for
instance, mactony instead of pctony).
I guess that some cleaning has to be done at some point. It's easier
to deal with 162 wrong entries than with 2000 !
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: LDAP - a simple script that may help with initial account creation
Posted by Tony Stevenson <to...@pc-tony.com>.
I have now used this to import all users into ldap.
**Skipped 162 entries due to no match for loginID in ICLAS.
**Skipped 0 because loginid was already found as a uid in LDAP.
**Attempted to make 1975 entries to LDAP.
So we now have a way to import all users from /etc/master.passwd - As
for the 162 failed imports, I am working my way through those to see
if it is a scripting issue, or as it seems more likely an issue with
there iclas.txt
Chris, thanks again for your help and perl-y fu.
I am now working on testing LDAP access from FreeBSD (PAM/NSS_LDAP)
and from Solaris (httpd module)
Cheers,
Tony
On 5 Apr 2009, at 20:49, chris wrote:
>
>>> Is the user's public name going to be part of the LDAP database?
>>> If so, the /etc/passwd file is likely to be the best source, as
>>> users
>>> can correct this, unlike ICLAS.
>> Exactly.
>
> So pull from gecos field then. What all do you guys have in there,
> just the full name? That field is often populated by a ","
> separated list of stuff.
>
>> We will use the mail address from .forward as that is the file we
>> honour for all userid@apache.org addresses. Now some folks don't
>> forward their mail on, they collect it. But that is ok too.
>> Folks are most likely to maintain this address as that is
>> ultimately the way they get to read their email. :-)
>
> Done. If .forward is unreadable or empty this is left undefined.
> Latest revision is here http://arreyder.com/pass2ldap.pl
>
> crr/arreyder
>
>
>
>
>
Cheers,
Tony
-----------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
http://blog.pc-tony.com/
1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
-----------------------------------------
Re: LDAP - a simple script that may help with initial account creation
Posted by chris <ch...@ia.gov>.
>> Is the user's public name going to be part of the LDAP database?
>> If so, the /etc/passwd file is likely to be the best source, as users
>> can correct this, unlike ICLAS.
> Exactly.
So pull from gecos field then. What all do you guys have in there,
just the full name? That field is often populated by a "," separated
list of stuff.
> We will use the mail address from .forward as that is the file we
> honour for all userid@apache.org addresses. Now some folks don't
> forward their mail on, they collect it. But that is ok too.
> Folks are most likely to maintain this address as that is ultimately
> the way they get to read their email. :-)
Done. If .forward is unreadable or empty this is left undefined.
Latest revision is here http://arreyder.com/pass2ldap.pl
crr/arreyder
Re: LDAP - a simple script that may help with initial account creation
Posted by Tony Stevenson <to...@pc-tony.com>.
On 4 Apr 2009, at 13:05, sebb wrote:
> On 04/04/2009, chris <ch...@ia.gov> wrote:
>> Sorry, server was down for a bit due to complications with my mail
>> archive
>> re-filtering project. (Oops)
>>
>> It's back up now and the script has some modifications requested by
>> Tony.
>> Added harvesting of uidNumber, gidNumber, homeDirectory and
>> extended the
>> objectclass to include posixAccount to accommodate those attributes.
>>
>> grab it here http://arreyder.com/pass2ldap.pl
>
> Is the user's public name going to be part of the LDAP database?
> If so, the /etc/passwd file is likely to be the best source, as users
> can correct this, unlike ICLAS.
Exactly.
>
> Also, note that the e-mail listed in ICLAS is often not the one used
> in the .forward file (and may not be accurate anyway, as some of the
> ICLAs are very hard to read).
We will use the mail address from .forward as that is the file we
honour for all userid@apache.org addresses. Now some folks don't
forward their mail on, they collect it. But that is ok too.
Folks are most likely to maintain this address as that is ultimately
the way they get to read their email. :-)
>> I'll get a proper svn archive going in a bit.
>>
>> crr/arreyder
>>
>>
>>
Cheers,
Tony
-----------------------------------------
Tony Stevenson
tony@pc-tony.com // pctony@apache.org // pctony@freenode.net
http://blog.pc-tony.com/
1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66
-----------------------------------------