371283 - Partitioning LDAP to allow creation of restricted accounts

Status: RESOLVED WONTFIX

(mozilla.org Graveyard :: Server Operations, task)

Description

[Wil Clouser [:clouserw]]

I've talked to Aravind about partitioning LDAP a couple of times, but never in an "official" capacity.  Since a lot of people have asked me for an answer, and since it would solve a lot of our CMS issues, I'm posting this bug to drop a paper trail that I can point people to when they ask me for details.

So, to recap our past conversations:

Our goal would be to allow us to add ldap accounts for localizers from within a CMS.

We wondered if we could partition LDAP so certain users could add LDAP accounts, but only for that small partition (the partition representing localizers, in this case).  This would let us:

- Add localizer accounts to LDAP on the fly from the CMS
- Restrict the people adding the LDAP accounts to only that partition
- Restrict the accounts that were created in that partition from accessing other stuff (intranet, etc.)
- Ability to disable/delete accounts from that partition (if this isn't possible, we can handle that on the CMS side)

Does this sound doable with our LDAP server, or are we treading on the impossible?

Comment 1

[Reed Loden [:reed]]

/me whispers "Despot v2 is the answer to everything!" (bug 353463)

Comment 2

[Dave Miller [:justdave]]

This sounds like something to discuss at our triage meeting on Tuesday...

Comment 3

[Justin Fitzhugh]

We are waiting to see if this is needed after our Thursday meeting about the CMS.  Will comment back here after we have more info.

Comment 4

[Justin Fitzhugh]

Don't need this for the CMS as IT will create tickets.  Closing this WONTFIX.

Comment 5

[Justin Fitzhugh]

s/tickets/accounts/