Re: LDAP accounts for DMs

To: debian-newmaint@lists.debian.org
Cc: debian-admin@lists.debian.org, keyring-maint@debian.org, Ian Jackson <ijackson@chiark.greenend.org.uk>
Subject: Re: LDAP accounts for DMs
From: Jonathan McDowell <noodles@earth.li>
Date: Thu, 20 Nov 2014 19:00:59 +0000
Message-id: <[🔎] 20141120190059.GM8342@earth.li>
In-reply-to: <[🔎] m2a93lwz82.fsf@rahvafeir.err.no>
References: <[🔎] 21613.9591.833794.103203@chiark.greenend.org.uk> <[🔎] m2a93lwz82.fsf@rahvafeir.err.no>

On Thu, Nov 20, 2014 at 06:36:45PM +0100, Tollef Fog Heen wrote:
> ]] Ian Jackson 
> 
> (Added keyring-maint to Cc)
> 
> > My dgit service would like every DM to have access to its restricted
> > ssh command on the new VM gideon.  This is a necessary condition for
> > providing DMs with dgit push access to their authorised packages.
> > 
> > (I seem to remember talking to various people about this before but I
> > can't remember who and I don't seem to have a record, so maybe it was
> > in person or on IRC.  So sorry if I'm repeating myself.)
> 
> We talked about this during Debconf 14 in Portland.  Enrico and
> keyring-maint (Noodles at least) were quite enthusiastic about this.

One of the things it was discussed in relation to was bringing the DM
process under nm.debian.org so all the information was in one place (and
could be carried through from DM to DD).

> > As I understand it the correct way to implement this would be for DMs
> > to have accounts in LDAP.  (Presumably flagged in some appropriate way
> > so that they don't get more permissions than necessary.)
> 
> Yes.
> 
> > Is this something that DSA and DM-keyring are happy with ?  If so, how
> > can we make it happen ?
> 
> Something like, from memory:
> 
> - Extend the DM signup system to also collect user names, let people who
>   haven't filled in what they want be able to do so.
>
> - Have the DM signup system export that information in some useful
>   fashion so we can import into LDAP (either manually or more likely
>   through RT).  We probably need to talk about whether we give the
>   system a GPG key or if the front desk signs the mails or what we do.

It would be interesting if DAK could pick up key fingerprints from LDAP,
which would then mean the key replacement process from keyring-maint PoV
was the same for DM + DD.

Otherwise from the keyring-maint side it's an extra piece of information
that comes through in the RT ticket requesting the addition of a DM key
to the keyring. It may then mean that instead of closing that ticket
when we're done we reassign it to DSA in the same way we do a DD/DN key
so they can create the LDAP entry.

> - Adjust ud to export DMs to gideon only, and create an authorized_keys
>   file with the right format and information there.
> 
> - Profit.

J.

-- 
] http://www.earth.li/~noodles/ []  "Basically, if you're allowed to   [
]  PGP/GPG Key @ the.earth.li   [] own it, you're probably allowed to  [
] via keyserver, web or email.  []     burn it." -- Stephen Gower,     [
] RSA: 4096/2DA8B985            []             ox.general              [

Reply to:

References:
- LDAP accounts for DMs
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: LDAP accounts for DMs
  - From: Tollef Fog Heen <tfheen@err.no>

Prev by Date: Re: LDAP accounts for DMs
Next by Date: AM report for Simon Kainz
Previous by thread: Re: LDAP accounts for DMs
Next by thread: Re: LDAP accounts for DMs
Index(es):
- Date
- Thread