Comment 40 for bug 881019
Revision history for this message
| Robert Collins (lifeless) wrote Re: [Bug 881019] Re: Lp login is broken after account merge | #40 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
On Tue, May 29, 2012 at 2:13 AM, Monty Taylor <email address hidden> wrote:
> On 05/28/2012 12:42 AM, Robert Collins wrote:
>> I think you need to change your integration logic :)
>
> Heh. It always seems that way at first glance.
>
>> Define the LP ids you want to have access however you want to do it;
>> when an openid login occurs, call the LP mapping IP with the openid
>> identifier that was used to login, and that will give you their LP
>> userid (if it exists).
>>
>> -> no batch scripting needed at all.
>
> Well, we'll still have to batch-operate to get the set of LP ids and
> their group membership and their SSH keys so that ssh-based auth
From this I infer you are using openssh or similar? There is e.g.
conch which can talk to LP directly with only a modicum of effort, and
do real-time access for keys (and group checks).
Or, I'm sure its around somewhere, you could use the LP PAM module. I
may be misremembering the existence of this, though I'm sure someone
did write one.
> continues to work (or stops working if we remove someone from a group
> and they don't happen to log in via the web after that). So unless you
> want to provide an LDAP interface to launchpad auth ... :) we'll have to
> keep doing that. Since we're doing that - just pre-grabbing the openid
> information makes way more sense than attempting to inject an api call
> into the gerrit openid chain.
Ok, so that seems like you'd have a user for getting the N-openid
identifiers list. Note that it really is an arbitrary length list:
users can have as many openid identifiers as they want. Does gerrit
support such a mapping (N openid identifiers, one user) ?