Re: LDAP accounts for DMs
]] Ian Jackson
(Added keyring-maint to Cc)
> My dgit service would like every DM to have access to its restricted
> ssh command on the new VM gideon. This is a necessary condition for
> providing DMs with dgit push access to their authorised packages.
>
> (I seem to remember talking to various people about this before but I
> can't remember who and I don't seem to have a record, so maybe it was
> in person or on IRC. So sorry if I'm repeating myself.)
We talked about this during Debconf 14 in Portland. Enrico and
keyring-maint (Noodles at least) were quite enthusiastic about this.
> As I understand it the correct way to implement this would be for DMs
> to have accounts in LDAP. (Presumably flagged in some appropriate way
> so that they don't get more permissions than necessary.)
Yes.
> Is this something that DSA and DM-keyring are happy with ? If so, how
> can we make it happen ?
Something like, from memory:
- Extend the DM signup system to also collect user names, let people who
haven't filled in what they want be able to do so.
- Have the DM signup system export that information in some useful
fashion so we can import into LDAP (either manually or more likely
through RT). We probably need to talk about whether we give the
system a GPG key or if the front desk signs the mails or what we do.
- Adjust ud to export DMs to gideon only, and create an authorized_keys
file with the right format and information there.
- Profit.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: