I agree that everything should be locked down (and the LDAP server should only be accessible by servers that need access) once we have added these features to akkounts. However I think the changes for akkounts should go in another issue. For now we need users to be able to change their passwords.
I agree, here's a filtered role example (for the 5apps XMPP config): kosmos/chef#123 (comment)
Thanks for clarifying it, this is all clearer to me now
Yes, there are ACIs for everything. We can create an account for akkounts-api that can create users and nothing else
OK, now I understand. In Gitea there is a global setting for "Allow Creation of Organizations by Default", that is off by default and off in our deployment. Admins can always create organizations, and there's also a flag on regular users for their ability to create organizations if needed
So far I think for the use case of enabling different services, that roles, in particular filtered roles would be a good fit.
This is a good idea, I think we should keep this around and revisit it before we go public!