Le 07/04/2020 à 16:02, Enrico Zini a écrit : > On Tue, Apr 07, 2020 at 03:28:07PM +0200, Xavier wrote: > >> With a SSO, I don't think it's a good thing to have a protected app as >> user database (even if it's possible). Then migration consists to >> extract gitlab accounts and push them in LDAP (2 branches, one for DD, >> one for guests) > > Ok, please help me to see where that would be an issue.
It's not an issue. With a SSO we shall probably change this: salsa accounts will be created on-the-fly using federation mechanism, then there is only one user database (LDAP with 2 branches) > The current status of accounts, is that: > > - There is only one LDAP server, DSA-managed, on db.debian.org, which > has accounts that do not end in "-guest". They may be DD or ex-DD > accounts, or "guest accounts" created for non-DDs who need to have > temporary access to porterboxes > > - There are accounts ending in "-guest" (that are not "guest > accounts"), that are not managed by DSA, and used to be on Alioth's > separate LDAP when alioth existed. > > - "-guest" accounts for purposes on sso.debian.org authentication are > now stored on a hand-maintained text file that is exported somehow to > serve as an apache authentication source for sso.debian.org > > - "-guest" accounts on Salsa are stored on Salsa's user database > > We currently have all sorts of overlaps and corner cases: > > - "guest accounts" in LDAP that do not end in "-guest" and are for > non-DDs > - "-guest" accounts in Salsa for DDs and ex-DDs, with the part before > "-guest" not matching the LDAP account name. > > I wonder if we have the same "-guest" accounts in Salsa and in the > sso.debian.org text file, that are controlled by different people? > > With the Salsa proposal: > > - the text file disappears, reducing the count of user databases from 3 > to 2 > - LDAP remains as it is, and Salsa remains as it is > - DD accounts remain on LDAP > - We gain an explicit mapping between LDAP accounts and Salsa accounts, > via nm.debian.org, that we currently do not have > - People who gain or lose DD status can keep using their Salsa account > without needing to migrate from "something-guest" to "something", or > from "something" to "something-guest" > > With the Salsa proposal the only change from here that I can see is that > we would start to have non-DD accounts on Salsa that do not end with > "-guest", like we already have non-DD accounts on LDAP now that do not > end with "-guest". > > I still don't see how the Salsa proposal makes adoption of a new system > harder than what we have now: removing one user database and introducing > a mapping between the remaining two, seem to me to make further > adoptions actually easier. No not harder, just different ;-)
