All,
I just wanted to give you an update of the things Martin and I did this afternoon. Big props to Martin for slogging through most of our LDAP issues. The only outstanding item left is adding the schema to the users to allow *nix logins. With the big parts in place now, we hope to do that soon. Please take a look and verify that things are working properly. We've done some cursory checks, but we may have missed something. Commits, logins, etc, need to be verified.
Thanks Martin, it was a successful collaboration.
Howard
- We combined the virtual hosts that were in the virtual_hosts.conf fine and
placed them in the hosts/ directory. In the end, it was only the mapguide
host that was still active in virtual_hosts.conf.
- We removed (commented out) the mapguide2.osgeo.org vhost
- We added an ldap_auth_url.inc file, which is to be included wherever you
wish to use LDAP authentication. See the trac or subversion configuration
files for an example
- A consequence of this change is we use the same AuthName everywhere
(AuthName "OSGeo Login"). This includes the subversion hosts. When you try
to commit a file, it may complain to you about needing to log in again
because the AuthName has changed.
- AuthName can be overridden with a subsequent directive if necessary (see
trac/kidsgis.conf for an example), but we would like to discourage it. It
adds duplication and negates the "single sign on"-ness of our
infrastructure
- ldap_create_user.py and ldap_search.py have been modified to use ou=People
instead of ou=people
- all LDAP entries have been modified to be ou=People instead of ou=people
- subversion no longer answers any repositories at ./svn/reponame. As part of
the changes two years ago, you were notified this was going to go away 
The only repositories that appeared to still have this were the fdo/mapguide
ones that were holdouts of the collabnet transition. If they need to be
turned on to allow a svn switch --relocate to happen, please let me know.
- Apache SSL certificates have been moved into /etc/ssl/ and respective
three-letter subdirectories.
- Group 'ssl-cert' has been added, members are 'ldap' and 'apache'.
- The SSL private key has been made group-readable to 'ssl-cert'.
- Thus, Apache and OpenLDAP are now sharing a common set of SSL keys.
- OpenLDAP ACL's have been set to allow binding as user (highly
recommended wherever possible !!), users are enabled to change their
own password without being required to bind to LDAP as "Manager".
- LDAP access over SSL has been successfully tested from
'download.osgeo.org'.