I have mentioned a few times in the past that I am planning to move LDAP and other privileged services over to tycho (aka x1.xwin.org), to get it off the machine we have around 300 accounts on. To that end, I've been writing 'ill', a mail interface for administration. It's Python-powered, and categorised into project managers, and account managers. All project managers can submit requests for account creation, which are then approved (which is expected to be largely a rubber stamp, as it is today) by the account managers. This offers two really compelling advantages over the current situation: we don't need to grant people root for just creating accounts (there are far too many sudoers currently, for any system; not a slight on anyone at all, just a reflection on the fact that no project needs seventeen administrators).[
Combined with moving the LDAP server somewhere else, this should hopefully
allow us to scale far beyond where we are -- including into the realm of
translators, which has sort of been pending getting the box far more secure
than it is today.