On 06.03.2018 10:58, Jelle van der Waa wrote:
I'm eager to also see a list of how easy it would be to integrate either of these options with our application stack, as in what do we want to move to LDAP?
* archweb * bbs * bugtracker * aurweb * ssh auth? * kanban board?
Eventually I'd like to have all of these (+ wiki if possible) in LDAP so that when someone becomes a TU/dev we can just change the group setting in LDAP and everything else adjusts automatically. Ideally, when someone joins the team they already have an account there and things like SSH and GPG keys are already configured because the AUR requires them. We then just change the group and be done with it. For now I'd start with, in that order, ssh, kanboard (only a few users so far so it should be easy to migrate), archweb. Later we can work on getting the other services migrated, but there we'll have to come up with a way to resolve conflicts regarding usernames so this requires some more effort. About the rest: 389ds and VPN sound good. Also I'd still use TLS even on a VPN so that we have multiple layers of security. I've once had a DNS problem with my personal syslog server, but thanks to TLS (with a private CA) there were no connections to the wrong machine. I imagine that we'll use DNS for easier management even if we use private IPs so this also applies here. It will probably be /etc/hosts, but there can still be a mistake at some point. Regarding topology I'd like master-master if that works well, otherwise master-slave. How does 389ds resolve conflicts in a master-master setup and what's the performance like? Florian