On Tue, Apr 07, 2020 at 03:28:07PM +0200, Xavier wrote: > With a SSO, I don't think it's a good thing to have a protected app as > user database (even if it's possible). Then migration consists to > extract gitlab accounts and push them in LDAP (2 branches, one for DD, > one for guests) Ok, please help me to see where that would be an issue. The current status of accounts, is that: - There is only one LDAP server, DSA-managed, on db.debian.org, which has accounts that do not end in "-guest". They may be DD or ex-DD accounts, or "guest accounts" created for non-DDs who need to have temporary access to porterboxes - There are accounts ending in "-guest" (that are not "guest accounts"), that are not managed by DSA, and used to be on Alioth's separate LDAP when alioth existed. - "-guest" accounts for purposes on sso.debian.org authentication are now stored on a hand-maintained text file that is exported somehow to serve as an apache authentication source for sso.debian.org - "-guest" accounts on Salsa are stored on Salsa's user database We currently have all sorts of overlaps and corner cases: - "guest accounts" in LDAP that do not end in "-guest" and are for non-DDs - "-guest" accounts in Salsa for DDs and ex-DDs, with the part before "-guest" not matching the LDAP account name. I wonder if we have the same "-guest" accounts in Salsa and in the sso.debian.org text file, that are controlled by different people? With the Salsa proposal: - the text file disappears, reducing the count of user databases from 3 to 2 - LDAP remains as it is, and Salsa remains as it is - DD accounts remain on LDAP - We gain an explicit mapping between LDAP accounts and Salsa accounts, via nm.debian.org, that we currently do not have - People who gain or lose DD status can keep using their Salsa account without needing to migrate from "something-guest" to "something", or from "something" to "something-guest" With the Salsa proposal the only change from here that I can see is that we would start to have non-DD accounts on Salsa that do not end with "-guest", like we already have non-DD accounts on LDAP now that do not end with "-guest". I still don't see how the Salsa proposal makes adoption of a new system harder than what we have now: removing one user database and introducing a mapping between the remaining two, seem to me to make further adoptions actually easier. Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: PGP signature