The GNOME Infrastructure is now powered by FreeIPA!

As preannounced at [1] the GNOME Infrastructure switched to a new 
Account Management System which is reachable at

All the details will follow.


It's been a while since someone actually touched the underlaying 
authentication infrastructure that powers the GNOME machines. The very 
first setup was originally configured by Jonathan Blandford (jrb) who 
configured an OpenLDAP istance with several customized schemas. 
(pServer fields in the old CVS days, pubAuthorizedKeys and GNOME 
modules related fields in recent times)

While OpenLDAP-server was living on the GNOME machine called clipboard 
(aka the clients were configured to synchronize users, 
groups, passwords through the nslcd daemon. After several years Jeff 
Schroeder joined the Sysadmin Team and during one cold evening (date 
is Tue, February 1st 2011) spent some time configuring SSSD to replace 
the nslcd daemon which was missing one of the most important SSSD 
features: caching. What surely convinced Jeff to adopt SSSD (a very 
new but promising sofware at that time as the first release happened 
right before 2010's Christmas) and as the commit log also states ("New 
sssd module for ldap information caching") was SSSD's caching feature. 

It was enough for a certain user to log in once and the 
'/var/lib/sss/db' directory was populated with its login information 
preventing the LDAP daemon in charge of picking up login details (from 
the LDAP server) to query the LDAP server itself every single time a 
request was made against it. This feature has definitely helped in 
many occasions especially when the LDAP server was down for a 
particular reason and sysadmins needed to access a specific machine or 
service: without SSSD this wasn't ever going to work and sysadmins 
were probably going to be locked out from the machines they were used 
to manage. (except if you still had '/etc/passwd', '/etc/group' and 
'/etc/shadow' entries as fallback)

Things were working just fine except for a few downsides that appeared 
later on:

 1. the web interface (view) on our LDAP user database was managed by 
    Mango, an outdated tool which many wanted to rewrite in Django 
    that slowly became a huge dinosaur nobody ever wanted to look into again
 2. the Foundation membership information were managed through a MySQL 
    database, so two databases, two sets of users unrelated to each other
 3. users were not able to modify their own account information on 
    their own but even a single e-mail change required them to mail 
    the GNOME Accounts Team which was then going to authenticate their request 
    and finally update the account.

Today's infrastructure changes are here to finally say the issues 
outlined at (1, 2, 3) are now fixed.

What has changed?

The GNOME Infrastructure is now powered by Red Hat's FreeIPA which 
bundles several FOSS softwares into one big "bundle" all surrounded by 
an easy and intuitive web UI that will help users update their account 
information on their own without the need of the Accounts Team or any 
other administrative entity. Users will also find two custom fields on 
their "Overview" page, these being "Foundation Member since" and "Last 
Renewed on date". As you may have understood already we finally 
managed to migrate the Foundation membership database into LDAP itself 
to store the information we want once and for all. As a side note it 
might be possible that some users that were Foundation members in the 
past won't find any detail stored on the Foundation fields outlined 
above. That is actually expected as we were able to migrate all the 
current and old Foundation members that had an LDAP account registered 
at the time of the migration. If that's your case and you still would 
like the information to be stored on the new setup please get in 
contact with the Membership Committee at <membership-committee AT 
gnome DOT org> stating so.

Where can I get my first login credentials?

Let's make a little distinction between users that previously had 
access to Mango (usually maintainers) and users that didn't. If you 
were used to access Mango before you should be able to login on the 
new Account Management System by entering your GNOME username and the 
password you were used to use for loggin in into Mango. (after loggin 
in the very first time you will be prompted to update your password, 
please choose a strong password as this account will be unique across 
all the GNOME Infrastructure)
If you never had access to Mango, you lost your password or the first 
time you read the word Mango on this post you thought "why is he 
talking about a fruit now?" you should be able to reset it by using 
the following command:

ssh -l yourgnomeuserid

The command will start an SSH connection between you and, once authenticated (with the SSH key you previously 
had registered on our Infrastructure) you will trigger a command that 
will directly send your brand new password on the e-mail registered 
for your account. From my tests seems GMail sees the e-mail as a 
phishing attempt probably because the body contains the word 
"password" twice. That said if the e-mail won't appear on your INBOX, 
please double-check your Spam folder.

Now that Mango is gone how can I request a new account?

With Mango we used to have a form that automatically e-mailed the 
maintainer of the selected GNOME module which was then going to 
approve / reject the request. From there and in the case of a positive 
vote from the maintainer the Accounts Team was going to create the 
account itself.

With the recent introduction of a commit robot directly on [2] the number of account requests reduced its numbers. 
In addition to that users will now be able to perform pretty much all the 
needed maintenance on their accounts themselves. That said and while 
we will probably work on building a form in the future we feel that 
requesting accounts can definitely be achieved directly by mailing the 
Accounts Team itself which will mail the maintainer of the respective 
module and create the account. As just said the number of account 
creations has become very low and the queue is currently clear. The 
documentation has been updated to reflect these changes at:

I was used to have access to a specific service but I don't anymore, 
what should I do?

The migration of all the user data and ACLs has been massive and I've 
been spending a lot of time reviewing the existing HBAC rules trying 
to spot possible errors or misconfigurations. If you happen to not 
being able to access a certain service as you were used to in the 
past, please get in contact with the Sysadmin Team. All the possible 
ways to contact us are available at

What is missing still?

Now that the Foundation membership information has been moved to LDAP 
I'll be looking at porting some of the existing membership scripts to 
it. What I managed to port already are welcome e-mails for new or 
existing members. (renewals)

Next step will be generating a membership page from LDAP (to populate and all the 
your-membership-is-going-to-lapse e-mails that were being sent till 

Other news - /home/users mount on

You will notice that loggin in into will result in 
your home directory being empty, don't worry, you did not lose any of 
your files but is now currently hosting your home 
directories itself. As you may have been aware of adding files to the 
public_html directory on master resulted in them appearing on your space. That was unfortunately expected as 
both master and webapps2 (the machine serving's 
webspaces) were mounting the same GlusterFS share.

We wanted to prevent that behaviour to happen as we wanted to know who 
has access to what resource and where. From today master's home 
directories will be there just as a temporary spot for your tarballs, 
just scp and use ftpadmin against them, that should be all you need 
from master. If you are interested in receiving or keeping using your's webspace please mail <accounts AT gnome DOT org> 
stating so.

Other news - a shiny and new error 500 page has been deployed

Thanks to Magdalen Berns (magpie) a new error 500 web page has been 
deployed on all the Apache istances we host. The page contains an 
iframe of and will appear every single time the web 
server behind the service you are trying to reach will be unreachable 
for maintenance or other purposes. While I hope you won't see the page 
that often you can still enjoy it at
Make sure to whitelist on your browser as it currently loads it without 
https. (as the service is currently hosted on OpenShift which provides 
us with a * wildcard certificate, which differs from the 
CN the browser would expect it to be)





Debian Developer,
Fedora / EPEL packager,
GNOME Sysadmin Team Coordinator,
GNOME Foundation Membership & Elections Committee Chairman


Attachment: signature.asc
Description: Digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]