LDAP Directory Services

Given the number of developers we now have with Git accounts, keeping track of them in the /etc/passwd file is not the best option. These days, we use an LDAP server, as in OpenLDAP.

The LDAP port is only accessible via the 'backend' network interfaces on the GNOME servers, so it's not a service that anyone outside of the sysadmin group would deal with directly.

Each user in the GNOME community will have a 'posixAccount' record, containing their name, e-mail, uid, etc. Anyone with a legacy CVS 'pserver' account will also have attributes related to that (using a custom schema).

Jonathan Blandford did most of the work setting this up. Thanks, Jonathan - it's well handy.

How it works

It's just a fairly standard OpenLDAP installation, with a couple of extra schemas plumbed in. The exciting bits are the scripts which generate configuration information from the LDAP data, such as the script on container that generates the 'authorized_keys' files for all the users on container, or that generates the '@gnome.org' aliases on menubar.

There is a web interface available to sysadmin and accounts team members that allows users to be added to LDAP, added and removed from relevant groups, SSH keys updated etc. We also have a request tracking system handling e-mail to 'accounts@gnome.org', so the tickets appear on the request tracker and are dealt with on the LDAP web interface (a.k.a. Mango).

LDAP Infrastructure

  • clipboard is the master, aka ldap-back

  • view is our slave

More reading about how we manage the SSL certificates for our LDAP istances at ../SOP/LDAPCertificates.

Infrastructure/Archive/LDAP (last edited 2020-11-04 13:58:18 by AndreaVeri)