[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Any consideration while designing schema



On Wed, Mar 16, 2011 at 11:20:41AM -0700, sim123 wrote:

> For example, I have one client who is talking to LDAP server and this client
> itself is a server ("myserver") for thousands of other clients, now I would
> like to know what should be the best way to authenticate those other clients
> from LDAP client (or "myserver" )

That is not really a schema-design issue, but is
certainly one of good practise.

> 1. Open a new session with server every time a client wants to connect,
> authenticate it and close the session again or

Many systems do that, but it is not efficient if there
is much authentication traffic.

> 2. Keep a session open from myserver and search for RDN & password every
> time a client wants to connect.

Holding the session open is probably good in this
case, but searching for passwords is not. I would
suggest that the "myserver" system should do something
like this:

	Open an LDAP session and bind as a service user.  The
	service-specific user helps when reading audit logs, and also
	allows for access to things that anon users cannot see.

	For each authentication:

		Search for the username and note the DN

		Try to re-bind the same session using the DN
		and the password that the user supplied.
		If this succeeds then the user is OK.

		Retrieve any other information that is
		needed for the user's login session.

		Re-bind the session as the service user.


You will also need to take care of connection failures, and
it is wise to close the session if it is inactive for more
than about 20 minutes. (If the LDAP session has to go
through a firewall, it is likely that the firewall will
silently drop the session after 30-60 minutes, causing major
delays next time it is needed.)

Depending on what "myserver" is and what it is doing, you may
find that existing open software will do a lot of this for
you. In particular, look at nssov in the OpenLDAP contrib
section, and Arthur de Jong's nss-pam-ldapd. Some Linux
distros package these, so you may be able to base your
system on PAM and NSS configs.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------