[wplug-internet] Another LDAP server to tinker with
Pat Barron
pat at lectroid.com
Mon Jun 17 14:33:42 EDT 2013
On 06/17/2013 1:26 PM, Bryan J Smith wrote:
> Never tried 389?
> How about "canned" IPA (389, Kerberos, Dogtag, DNS, NTP, etc...)?
>
> I can understand if you'd want to avoid the latter, given its more
> "fixed" schema just like most AD admins treat theirs, but just curious
> why 389 wasn't mentioned?
I have looked at 389, the reason I didn't look at it further is that the
setup seems ... somewhat daunting.
The target environment for this is (eventually) WPLUG's own server, on
CentOS 5.9. The application would be to provide a common
identity/authentication framework for multiple separate services that we
may want to deliver from that server, avoiding having to have a
separately maintained username/password for each. I'd actually rather
use something like OAuth (or even Kerberos) that's designed for that -
but where services provide a hook for some type of common
authentication, it seems that most these days use LDAP (as opposed to
anything else) to do it. So really, fixed schema is fine for the most
part. There's some other information we might want to maintain in the
directory if we were to do something like this (like, if we implement an
online membership management portal, as long as the directory is already
there, why not use that to maintain data rather than a separate
database), but in most cases "uid" and "userPassword" are going to be
the only attributes we really care about...
Even on my Fedora test system, the reason I didn't spend more time
looking at 389 was basically, "Well, OK ... but how do I *start* the
darn thing?" You know, with just a tiny, basic config, to get
bootstrapped with. Both 389 and OpenLDAP seem to have this problem. At
least for proof-of-concept testing, and at least until I get my head
wrapped around the innards of LDAP more, I was really looking for (in
effect) "LDAP-in-a-box". Something I could get at least a basic
configuration on, and get it running, in just a few minutes, without
having a whole lot of knowledge about LDAP or how it works inside - that
was the primary goal. Like I said, I would never recommend OpenDS for
production use (due to the various problems that I mentioned), but it
did meet the primary goal, and got me a "toy" LDAP server that I could
poke around at and tinker with, and do some proof-of-concept testing
with. For "real" use, I'd take the data (and knowledge) gained from
messing with this, and move it to something else (most likely OpenLDAP,
given our CentOS environment).
If there were some kind of "canned" IPA installation I could get, that
might also fit the bill - but IPA seems like a lot of overkill, for what
we'd end up using it for...
--Pat.
More information about the wplug-internet
mailing list