[arch-devops] LDAP role

Giancarlo Razzolini grazzolini at archlinux.org
Tue Mar 6 16:39:25 UTC 2018 

Em março 6, 2018 8:18 Florian Pritz via arch-devops escreveu:
> 
> Eventually I'd like to have all of these (+ wiki if possible) in LDAP so
> that when someone becomes a TU/dev we can just change the group setting
> in LDAP and everything else adjusts automatically. Ideally, when someone
> joins the team they already have an account there and things like SSH
> and GPG keys are already configured because the AUR requires them. We
> then just change the group and be done with it.

We can have the SSH and GPG keys on the directory itself, yes, and that's
accessible by any application.

> 
> For now I'd start with, in that order, ssh, kanboard (only a few users
> so far so it should be easy to migrate), archweb. Later we can work on
> getting the other services migrated, but there we'll have to come up
> with a way to resolve conflicts regarding usernames so this requires
> some more effort.

I would say, as name conflicts goes, we look at our application where we
have the biggest number of users. And we determine that as the authoritative
source for usernames. Anyone with a username conflicting against that, will
need to change. I think the AUR is that application, right?

> 
> About the rest: 389ds and VPN sound good. Also I'd still use TLS even on
> a VPN so that we have multiple layers of security. I've once had a DNS
> problem with my personal syslog server, but thanks to TLS (with a
> private CA) there were no connections to the wrong machine. I imagine
> that we'll use DNS for easier management even if we use private IPs so
> this also applies here. It will probably be /etc/hosts, but there can
> still be a mistake at some point.

TLS will be used regardless of VPN or not. And we are going to use valid certs,
no self signed. As for the VPN, I would say that tinc or openvpn are options.

> 
> Regarding topology I'd like master-master if that works well, otherwise
> master-slave. How does 389ds resolve conflicts in a master-master setup
> and what's the performance like?

Coming to think of this, we want multi-master replication, because we need the
ability of bringing up and down the servers for upgrades and other stuff. If we
go with the master-slave topology, the master machine will require a lot of
attention.

Regards,
Giancarlo Razzolini
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 870 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20180306/bbc9e2b7/attachment-0001.sig>

More information about the arch-devops mailing list