[fdo-internals] FW: [SAC] Today's administration notes

Jason Birch Jason.Birch at nanaimo.ca
Sun Dec 7 00:21:56 EST 2008


See below; FYI from the systems admin committee.
 
Main takeaway (other than the great steps towards SSO that Howard and Martin made) is that the fdo and mapguide SVN repositories are no longer available under the deprecated osgeo.org/svn/reponame address, and must be accessed from svn.osgeo.org/reponame 
 
Howard notes that this could be turned back on temporarily to allow an svn switch --relocate, but hopefully nobody is still using this old access method.
 
Jason
 

________________________________

From: sac-bounces at lists.osgeo.org on behalf of Howard Butler
Sent: Sat 2008-12-06 1:36 PM
To: System Administration Committee Discussion/OSGeo
Subject: [SAC] Today's administration notes



All,

I just wanted to give you an update of the things Martin and I did 
this afternoon.  Big props to Martin for slogging through most of our 
LDAP issues.  The only outstanding item left is adding the schema to 
the users to allow *nix logins.  With the big parts in place now, we 
hope to do that soon.  Please take a look and verify that things are 
working properly.  We've done some cursory checks, but we may have 
missed something.  Commits, logins, etc, need to be verified.

Thanks Martin, it was a successful collaboration.

Howard


- We combined the virtual hosts that were in the virtual_hosts.conf 
fine and
   placed them in the hosts/ directory. In the end, it was only the 
mapguide
   host that was still active in virtual_hosts.conf.

- We removed (commented out) the mapguide2.osgeo.org vhost

- We added an ldap_auth_url.inc file, which is to be included wherever 
you
   wish to use LDAP authentication. See the trac or subversion 
configuration
   files for an example

   - A consequence of this change is we use the same AuthName everywhere
     (AuthName "OSGeo Login"). This includes the subversion hosts. 
When you try
     to commit a file, it may complain to you about needing to log in 
again
     because the AuthName has changed.

   - AuthName can be overridden with a subsequent directive if 
necessary (see
     trac/kidsgis.conf for an example), but we would like to 
discourage it. It
     adds duplication and negates the "single sign on"-ness of our
     infrastructure

- ldap_create_user.py and ldap_search.py have been modified to use 
ou=People
   instead of ou=people

- all LDAP entries have been modified to be ou=People instead of 
ou=people

- subversion no longer answers any repositories at ./svn/reponame. As 
part of
   the changes two years ago, you were notified this was going to go 
away :)
   The only repositories that appeared to still have this were the fdo/
mapguide
   ones that were holdouts of the collabnet transition. If they need 
to be
   turned on to allow a svn switch --relocate to happen, please let me 
know.

- Apache SSL certificates have been moved into /etc/ssl/ and respective
   three-letter subdirectories.

- Group 'ssl-cert' has been added, members are 'ldap' and 'apache'.

- The SSL private key has been made group-readable to 'ssl-cert'.

- Thus, Apache and OpenLDAP are now sharing a common set of SSL keys.

- OpenLDAP ACL's have been set to allow binding as user (highly
   recommended wherever possible !!), users are enabled to change their
   own password without being required to bind to LDAP as "Manager".

- LDAP access over SSL has been successfully tested from
   'download.osgeo.org'.

_______________________________________________
Sac mailing list
Sac at lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/sac




More information about the fdo-internals mailing list