[arch-devops] LDAP role

[Florian Pritz]

On 06.03.2018 10:58, Jelle van der Waa wrote:
> I'm eager to also see a list of how easy it would be to integrate either
> of these options with our application stack, as in what do we want to
> move to LDAP?
> 
> * archweb
> * bbs
> * bugtracker
> * aurweb
> * ssh auth?
> * kanban board?

Eventually I'd like to have all of these (+ wiki if possible) in LDAP so
that when someone becomes a TU/dev we can just change the group setting
in LDAP and everything else adjusts automatically. Ideally, when someone
joins the team they already have an account there and things like SSH
and GPG keys are already configured because the AUR requires them. We
then just change the group and be done with it.

For now I'd start with, in that order, ssh, kanboard (only a few users
so far so it should be easy to migrate), archweb. Later we can work on
getting the other services migrated, but there we'll have to come up
with a way to resolve conflicts regarding usernames so this requires
some more effort.

About the rest: 389ds and VPN sound good. Also I'd still use TLS even on
a VPN so that we have multiple layers of security. I've once had a DNS
problem with my personal syslog server, but thanks to TLS (with a
private CA) there were no connections to the wrong machine. I imagine
that we'll use DNS for easier management even if we use private IPs so
this also applies here. It will probably be /etc/hosts, but there can
still be a mistake at some point.

Regarding topology I'd like master-master if that works well, otherwise
master-slave. How does 389ds resolve conflicts in a master-master setup
and what's the performance like?

Florian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 858 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20180306/82232fb9/attachment.asc>