[wplug-internet] Another LDAP server to tinker with

Pat Barron pat at lectroid.com
Mon Jun 17 14:33:42 EDT 2013 

On 06/17/2013 1:26 PM, Bryan J Smith wrote:
> Never tried 389?
> How about "canned" IPA (389, Kerberos, Dogtag, DNS, NTP, etc...)?
>
> I can understand if you'd want to avoid the latter, given its more 
> "fixed" schema just like most AD admins treat theirs, but just curious 
> why 389 wasn't mentioned?
I have looked at 389, the reason I didn't look at it further is that the 
setup seems ... somewhat daunting.

The target environment for this is (eventually) WPLUG's own server, on 
CentOS 5.9.  The application would be to provide a common 
identity/authentication framework for multiple separate services that we 
may want to deliver from that server, avoiding having to have a 
separately maintained username/password for each.  I'd actually rather 
use something like OAuth (or even Kerberos) that's designed for that - 
but where services provide a hook for some type of common 
authentication, it seems that most these days use LDAP (as opposed to 
anything else) to do it.  So really, fixed schema is fine for the most 
part.  There's some other information we might want to maintain in the 
directory if we were to do something like this (like, if we implement an 
online membership management portal, as long as the directory is already 
there, why not use that to maintain data rather than a separate 
database), but in most cases "uid" and "userPassword" are going to be 
the only attributes we really care about...

Even on my Fedora test system, the reason I didn't spend more time 
looking at 389 was basically, "Well, OK ... but how do I *start* the 
darn thing?"  You know, with just a tiny, basic config, to get 
bootstrapped with.  Both 389 and OpenLDAP seem to have this problem.  At 
least for proof-of-concept testing, and at least until I get my head 
wrapped around the innards of LDAP more, I was really looking for (in 
effect) "LDAP-in-a-box".  Something I could get at least a basic 
configuration on, and get it running, in just a few minutes, without 
having a whole lot of knowledge about LDAP or how it works inside - that 
was the primary goal.  Like I said, I would never recommend OpenDS for 
production use (due to the various problems that I mentioned), but it 
did meet the primary goal, and got me a "toy" LDAP server that I could 
poke around at and tinker with, and do some proof-of-concept testing 
with.  For "real" use, I'd take the data (and knowledge) gained from 
messing with this, and move it to something else (most likely OpenLDAP, 
given our CentOS environment).

If there were some kind of "canned" IPA installation I could get, that 
might also fit the bill - but IPA seems like a lot of overkill, for what 
we'd end up using it for...

--Pat.

More information about the wplug-internet mailing list