[Sussex] LDAP Presentation

Mon Aug 1 10:03:19 UTC 2005

Alright Guys :)

Thought I'd chime in with a few notes on this, as I've been doing a 
metric assload of work with LDAP recently. (Probably more on this later)...

Firstly, Nik, well done, good presentation!

Just a couple of points that might make people's lives easier when 
looking to use this:

1. While it's not mentioned, the LDAP server Nik is using is OpenLDAP. 
This is available with most, if not all, of the major distributions. 
Debian, for some reason, calls it slapd - pretty much everything else 
will call it OpenLDAP (i.e. yum install openldap-server 
openldap-clients...etc)

2. LDAP Objects: An LDAP directory (it's NOT a database ;) ) is made up 
of objects. Every item there is an object.

It works like this:

Jon Fautley << Object
	-> sn: Fautley << Attribute
	-> uid: jon    << Attribute

etc....

Objects and Attributes are what makes up an LDAP directory.

3. The addressbook stuff.

I don't really see why you're using the mozillaABPersonObsolete - as the 
name implies, this schema is deprecated and should not be used. The 
options availiable in here are in the standard schemas (see: 
INetOrgPerson). The problem with using the Mozilla broken-schema is that 
you're limiting the compatibility of your address book to Mozilla-only 
clients. By using the standard systems, you can integrate with many more 
addressbooks. While it's not perfect, it pretty much JustWorks(tm) with 
most clients (albeit without write-support).

4. PHPLdapAdmin is a really cool tool - but you might also want to look 
at Directory Administrator (http://diradmin.open-it.org/) if you want 
something that's a little easier for the novice user. It's a GTK+ 
application. While it's aimed at Centralised Authentication services, it 
works quite well for addressbooks too.

5. Issues

Write back support? I know certain client support this - you just need 
to correctly configure the LDAP server to accept updates from clients. 
This is, obviously, disabled by default.

Security? You can very easily secure LDAP servers. By doing this you're 
limiting who can access the directory, and who can update. OpenLDAP has 
a VERY extensible authentication scheme, so each user can manage their 
own entries, but nooone elses, 'Managers' can update other information, 
etc...

LDAP coupled with TLS is a very secure solution, and should be 
reasonably (ignoring all legal requirements) safe when exposed to the 
Internet - as long as you've configured it correctly.

Final Point - if you want to know more about Centralised Authentication 
with LDAP - you might want to book tickets for the next LinuxWorld 
expo... no promises, but there might be a talk on it ;)

Oh yeah, there should be the obligatory plug for the Fedora Directory 
Server in here - it makes all this stuff so much more simple!

Jon
-- 
Jon Fautley <jfautley at redhat.com>     direct: +44 1483 739615
  Presales Technical Consultant        office: +44 1483 300169
  Red Hat UK                           mobile: +44 7841 558683
  10 Alan Turing Road, Surrey Research Park, Guildford GU2 7YF