[
https://issues.apache.org/jira/browse/WHIMSY-298?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16965205#comment-16965205
]
Sam Ruby commented on WHIMSY-298:
---------------------------------
> both the ou=projects and the PMC-based ou=meta groups
That, unfortunately, would be necessary, otherwise we will break the ability to
allow PMC members to update their own membership. Take a look at the following:
[https://github.com/apache/infrastructure-puppet/blob/763ef5a69f24e2b15a0ad1f4c99556c4064bec55/modules/ldapserver/templates/slapd.conf.erb#L293]
In particular, line 300. When I last looked into this, it was possible to do
one of two things: enable an attribute within the same LDAP entry to control
access, or enable a fixed path to determine access. The problem was that the
latter is neither "relative" nor does it provide wildcards (or if it does, I
couldn't figure out how).
What that means is that if you wanted cn=whimsy,ou=meta to be able to control
cn=whimsy,ou=group you would need to have a separate entry in slapd.conf for
that. And that would need to be repeated for each PMC.
P.S. I presume that this has moved to infra-p6, but I haven't figured out how
to link to such.
> create/maintain meta-groups for PMCs in LDAP
> --------------------------------------------
>
> Key: WHIMSY-298
> URL: https://issues.apache.org/jira/browse/WHIMSY-298
> Project: Whimsy
> Issue Type: New Feature
> Reporter: Chris Lambertus
> Priority: Minor
>
> Infra discovered a downside to the owner/member paradigm of the new LDAP
> group management style, in that most commercial LDAP-based tooling doesn't
> have the ability to set specific queries for various authentication
> parameters. This is most notable in our Atlassian Crowd implementation, in
> that Crowd only "sees" the members groups and has no way to parse out the
> Owners for additional privilege scope. Infra has currently created a manual
> workaround, which is documented in this (currently non-canonical,
> non-functional) script:
> [https://github.com/apache/infrastructure-p6/blob/9813eacad87fcac69f21e7b7c3233541685bd789/modules/cwiki_asf/files/refresh_meta.sh]
>
> As you can see, this script would create a new LDAP OU called 'meta' which
> ETLs the existing owner attributes into a $project-pmc DN which is then
> visible to Crowd and can be used to apply PMC permissions to Jira and
> Confluence. We're currently doing this manually "on-demand" until we finish
> some necessary back-end work for the script to function.
> I realize it's a step backwards to once again have to manage multiple LDAP
> groups, but unfortunately, this separation is required due to a lack of
> support for the owner/member attributes for Crowd.
> It may be worth Whimsy considering patching to update both the ou=projects
> and the PMC-based ou=meta groups. If this is something you'd like to do, I
> would recommend a new OU, as Infra will be continuing to do this purge/ETL
> for the ou=meta group for the foreseeable future.
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
