we’ll want to change how we do identity and access on l10n.mozilla.org (elmo).
Right now, elmo talks to ldap directly to do three things:
- Verify passwords against ldap.
- Get identity info for an email, i.e., first name and last name.
- Check ldap groups and give permissions based on them.
That works OK, but has the caveat that it’s hard to understand, and it needs access to an ldap server, which if frowned upon.
Would IAM be the right alternative? What would it take?
elmo is a django 1.11.x site, to give some background on the platform environment.