[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How do you have LDAP Setup for Apps

On Thursday, 29 September 2011 02:26:07 criderkevin@aol.com wrote:
>  I'm learning and testing different ways of configure my LDAP to handle
> multiple apps. I gave up on groupofnames because I couldn't get searches
> to pull out the Users in a Group.

Then it seems your applications are brain-dead.

Almost all applications supporting LDAP authentication support LDAP 
authorization, with multiple models for retrieving group information and 
memberships. Most of them support all of the following:
1)groupOfNames-type groups
2)posixGroup-type groups
3)members indicated by memberOf attributes

In case the application only supports the last one (typical of applications 
written for a specific LDAP server implementation, not for any standards-
compliant LDAP server implementation), OpenLDAP has the slapo-memberof module, 
whcih can make (1) look like (3).

> I have probably 6 or so apps that will
> use the LDAP. I am leaning towards a simple structure, where each app has
> it's own branch in the LDAP.


> My reasoning is: it's easy to configure,

But impossible to maintain / scale.

> may
> make ACL's easier to setup and manage, it will make searches easier to
> setup and test, and...why not...after all this isn't a database and
> duplicated "people" records don't matter.

They do, and there are no solutions to all the problems that this introduces 
that are supported any better by applications that can't figure out group 

> We may end up with 2 synching
> LDAPS, one for our network and email, and the other for our other apps,
> simply because the email system requires a very specific structure.


> Just curious to hear from the more experienced what they do in their
> structure to handle multiple apps, and how sound my thinking is.

At work, we have LDAP-based authorization for at least the following 
applications/tools, all using single accounts and single groups:

Apache (web apps, subversion etc.)
PAM / OpenSSH (with LPK patch)

(I am sure there are a few more, but I'm too lazy to look in the wiki)