Regarding ecryptfs, that's what I meant with faster on HDDs, but didn't explain in detail:
The title of this issue is still misleading. LDAP users shouldn't be able to directly change anything in the directory. They should always go through akkounts, and I think we should enforce 2FA there for everyone as well.
It's not so much about if the account is enabled, but when to send a message to donate again.
By the way, filtered roles seem like a good solution for enabling/disabling services.
We can create an account for akkounts-api that can create users and nothing else
You keep mixing up lots of things, and it's very difficult to discuss these topics when the terms used are either inaccurate or outright the wrong ones.
By the way, shouldn't we also restrict access to the entire LDAP server by IP address? Why does a user have to be able to connect to it directly?
I don't think akkounts-api should have credentials to a master admin account. But it does need to write to the directory.
When it comes to Gitea, the LDAP support is for authentication, including adding admin privileges to users, but it looks like we’ll have to deal with organizations ourselves
They shouldn't see any data from other users really. Not just the email address.
Gitea also supports an attribute for SSH public keys, and a bunch of other things:
Looks good. But shouldn't wiki and xmpp rather be user groups?