Opened 12 years ago
Last modified 8 years ago
#322 new enhancement
Unauthenticated list membership API — at Initial Version
Reported by: | adehnert | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | misc | Keywords: | |
Cc: |
Description
Many of our users would like to synchronize authz in their application with authz managed through moira lists. (Indeed, we'd probably like to do that with Trac --- http://sipb.mit.edu/trac/ticket/17. We also have a FAQ entry about doing this with Mediawiki --- http://scripts.mit.edu/faq/130/.) At the moment, I believe that requires either making your list an NFS group to use LDAP (which people dislike, given the group quota), using pts mem -noauth (which is vulnerable to a MITM), or juggling tickets and tokens to use pts mem with authentication.
If such a service already exists (a stable-ish looking LDAP server supporting HTTPS, for example), awesome. We should document it, and make sure our FAQ entries use that, not pts mem -noauth.
If not, we should write some service that uses an integrity-protected channel to get moira list membership and returned it to users. (One option would be a setuid program that basically just aklog'd with some principal it had access to and ran pts mem. Another would be a web service (possibly firewalled to localhost or accessible over unix socket) that did the same. Conceivably, this could use blanche, LDAP, or some other web service instead.