[Da-tools-discuss] ideas for LDAP use
Stephen Gran
sgran at debian.org
Wed Dec 26 18:36:44 UTC 2007
Hey all,
So I was looking through the schema currently in use, and at how ud-ldap
uses it. Some first impressions:
Groups in the users tree: yuck
We are overloading some attributes instead of using new attributes to
transmit information. For example, we mark the userPassword field with
LK if an account is locked - we could just create a new attribute that
tells us the account is locked.
We are not mandating several attributes for developer accounts that we
really should be mandating (keyFingerprint springs to mind here). It
seems that this is because we keep old accounts around forever, and some
of those old accounts won't have a key, so we can't mandate it moving
forward. We could just create a new objectClass debianDeveloperEmeritus
or something that has relaxed must's, and make the debianDeveloper one
make more sense. It also strikes me that this might be an easy way to
handle the locked account case above as well.
Thoughts, things I've missed, etc?
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran at debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/da-tools-discuss/attachments/20071226/8f3b6ea5/attachment.pgp
More information about the Da-tools-discuss
mailing list