On Thu, Apr 09, 2020 at 07:46:21PM +0200, Tollef Fog Heen wrote: > > For guest accounts opened by DSA directly, it can be pretty much the > > same: you can use the current Salsa account name of the person as the > > username for the guest account. > > I don't think we want to make the Debian LDAP service subservient to > salsa's, which this effectively would. (People requesting guest > accounts might also not have salsa accounts.) You don't have to, and I wouldn't consider LDAP subservient to anything: if you create an account in LDAP that exists on Salsa, when the Salsa user wants a guest account or to become DD, we'll ask them to rename their Salsa account because the LDAP one is already taken. The idea is to leave DSA free to implement whatever policy they want and manage their LDAP namespaces as they see fit. When people want to create accounts in them, they adapt according to the rules DSA sets. nm.debian.org tries to validate as much as possible according to those rules, to make thinks smoother. What we can't validate, we deal with it on a case by case basis. This is pretty much what what happens today: DSA gets to refuse (and does refuse) account names arbitrarily without providing explanations even when we ask, and we suck it up and deal with it. This is not something we outside DSA can change, and it's not something I expect will change. Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: PGP signature