On Wed, Feb 8, 2012 at 2:54 PM, Jonathan Lassoff <span dir="ltr"><<a href="mailto:jof@thejof.com">jof@thejof.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On Wed, Feb 8, 2012 at 2:16 PM, Shannon Lee <<a href="mailto:shannon@scatter.com">shannon@scatter.com</a>> wrote:<br>
> So what we need is a database which can<br>
><br>
> * associate a handle with a phone number (or hash), an RFID match-key (or<br>
> hash thereof), et cetera<br>
<br>
</div>I think it's the other way, the system would see a Caller ID or RFID<br>
string and do a lookup based on that to see if it's present and<br>
"valid".<br></blockquote><div><br></div><div>Well, that's just an index, right? �I want to be able to have a handle/name/whatever, and put a phone number, RFID key, keypad code, et cetera next to it; then when an auth event happens, I want to be able to take the auth code (a phone number, RFID match, keypad code) and look up the associated handle...</div>
<div>�</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">
> * associate a handle with one or more upstream handles (or the designation<br>
> "consensed member" or something).<br>
<br>
</div>Is this to build the "chains of trust" idea out? Like tracking which<br>
handle says this handle is "cool".<br></blockquote><div><br></div><div>Yes, exactly. �In theory, the chains of trust all lead back to Kelly... she says who the members are, and the members are allowed to give access to others down the tree; in practice, this just means that everyone should have a list of handles who have vouched for them; the system should follow those handles up the tree until one of them reaches Kelly or we run out of handles.</div>
<div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">> Once we've got that, we can start tying access systems to that.<br>
> LDAP anyone?<br>
<br>
</div>Oh god... please no. This should be a simple as possible so that it's<br>
easy for relative strangers to the system to figure it out and run<br>
with it. LDAP would actually be perfect (structure-wise, only) for<br>
this, but OpenLDAP is a real mess. I've had to try and recover BDB<br>
from slapd crashes or power outages more times than I'd like to.<br>
< two cent rant> Seriously, fuck OpenLDAP. It just makes simple things<br>
difficult. </ two cent rant ><br></blockquote><div><br></div><div><br></div><div>Yeah, I agree, this is an LDAP problem but OpenLDAP is terrible. �I thought I remembered hearing about an alternative free LDAP last year that was OK? �I don't remember what it was though.</div>
<div><br></div><div>The thing about OpenLDAP is, though, that there are lots of readily-available management tools (like Gosa) that we can just plug into the problem, and not have to write any of this ourselves.</div><div>
<br></div><div>--S</div><div>�</div></div>-- <br>Shannon Lee<br>(503) 539-3700<br><br>"Any sufficiently analyzed magic is indistinguishable from science."<br>