Hi folks, I have been working on some updates to the LDAP service, and I would like to get rid of ou=meta,ou=groups,dc=apache,dc=org (or at least the process which manages it.)
Some history -- this ou was created to address a problem which arose after project groups were converted to member/owner (INFRA-16188). The Atlassian Crowd service that feeds authentication and authorization for Jira and Confluence does not understand the "owner" concept. Infra had previously created local roles in cwiki and jira, and generally pushed maintenance of memberships of said roles to the project owners defined within cwiki and jira. Over time this grew cumbersome, and we elected to switch to LDAP-based groups, but we only had access via Crowd to the attr=member version of the groups, so we could not assign PMC-based roles. Because of this, I created a stop-gap process which drops and reloads ou=meta nightly, populating ou=$project-pmc,ou=meta,ou=groups,dc=apache,dc=org with attr=member of the PMC members. This process is awkward, and causes problems with the LDAP audit logging system. I would like to gather feedback on re-creating and maintaining the ou=pmc tree in parallel with the owner/member paradigm that is now in place, specifically to support Crowd-based applications (which now also include JFrog/artifactory,) or other 3rd party tooling which may not understand member/owner. At this time, I believe the only ASF tooling which creates or modifies the owner attribute of project groups is Whimsy, so any code adjustments would likely have to happen here. What are your thoughts? Thanks, Chris ASF Infra
