migrate LDAP?

[jhoblitt]

LDAP was being used for mail, drupal, mediawiki and shell accounts. Mail has been migrated to Gapps and the decision has been made to remove it from drupal (https://github.com/socallinuxexpo/scale-drupal/issues/1).

Are we going to migrate preserve mediawiki or migrate to a different wiki system? Do we want to conitnue to use ldap for shell accounts or can we live with an alternative, such as using chef?

/cc @irabinovitch @hriday @jaymzh

[irabinovitch]

A correction: LDAP was only used for shell accounts on (1) host. The remaining VMs seemed to have a shared root account.

[irabinovitch]

I dont see any reason to bring it along. If we're looking to manage access to systems, creating users and deploying their keys via our chosen config management system seems easier than maintaining more ldap.

[jaymzh]

for shell accounts I don't see a reason... but there is a benefit for things like wiki and site other internal logins. I don't know much about a lot MW or other things but if there's a an easy way to generate their login creds from something like Chef, I'm all for that.

[jhoblitt]

For a small number of admin users, say < 10, I think CM will be significantly less hassle. For general users, it starts to hurt as the user can't change password hashes or ssh keys themselves.

[irabinovitch]

@jaymzh Most of the systems we use have the ability to do Oauth or Google Auth. My initial thought would be to just re-use those credentials since we have them.

Eg the following tools we're using support Oauth or Gauth:

• Email
• Drupal
• Slack
• Datadog (we have an account, we can come back to whether we stick with it later)
• MediaWiki (although I'm hoping we'll find an alternate solution)

[irabinovitch]

Closing this as we've decided not to migrate LDAP at this point.