... | ... | @@ -1403,7 +1403,7 @@ TL;DR: three phase migration away from LDAP |
|
|
1. stopgap: merge with upstream, port to Python 3 if necessary
|
|
|
2. move hosts to Puppet, replace ud-ldap with another user dashboard
|
|
|
3. move users to Puppet (sysadmins) or Kubernetes / GitLab CI /
|
|
|
GitLab Pages (developers), remove LDAP
|
|
|
GitLab Pages (developers), remove LDAP and replace with SSO dashboard
|
|
|
|
|
|
The long version...
|
|
|
|
... | ... | @@ -1446,7 +1446,7 @@ So hopefully, in the mid term, it should be possible to completely |
|
|
replace ud-ldap with Puppet for hosts and sysadmins, and an already
|
|
|
existing LDAP dashboard for user interaction.
|
|
|
|
|
|
### Long term: replace LDAP completely, with Puppet, GitLab and Kubernetes
|
|
|
### Long term: replace LDAP completely, with Puppet, GitLab and Kubernetes, possibly SSO dashboard
|
|
|
|
|
|
In the **long term**, the situation is muddier: at this stage, our
|
|
|
dependence on ud-ldap is either small (just users) or non-existent (we
|
... | ... | @@ -1528,6 +1528,14 @@ This is obviously a quite large undertaking and would need to be |
|
|
performed progressively. Thankfully, it can be done in parallel
|
|
|
without having to convert everything in one go.
|
|
|
|
|
|
Alternatively, a single-sign-on dashboard like [FreeIPA][] or
|
|
|
[Keycloak][] could be considered, to unify service authentication and
|
|
|
remove the plethora of user/password pairs we use everywhere. This is
|
|
|
definitely not being served by the current authentication system
|
|
|
(LDAP) which basically offers us a single password for all services
|
|
|
(unless we change the schema to add a password for each new service,
|
|
|
which is hardly practical).
|
|
|
|
|
|
## Cost
|
|
|
|
|
|
This would be part of the running TPA budget.
|
... | ... | |