Unauthenticated list membership API

[adehnert]

Many of our users would like to synchronize authz in their application with authz managed through moira lists. (Indeed, we'd probably like to do that with Trac --- ​http://sipb.mit.edu/trac/ticket/17. We also have a FAQ entry about doing this with Mediawiki --- http://scripts.mit.edu/faq/130/.) At the moment, I believe that requires either making your list an NFS group to use LDAP (which people dislike, given the group quota), using pts mem -noauth (which is vulnerable to a MITM), or juggling tickets and tokens to use pts mem with authentication.

If such a service already exists (a stable-ish looking LDAP server supporting HTTPS, for example), awesome. We should document it, and make sure our FAQ entries use that, not pts mem -noauth.

If not, we should write some service that uses an integrity-protected channel to get moira list membership and returned it to users. (One option would be a setuid program that basically just aklog'd with some principal it had access to and ran pts mem. Another would be a web service (possibly firewalled to localhost or accessible over unix socket) that did the same. Conceivably, this could use blanche, LDAP, or some other web service instead.