[Sussex] LDAP Presentation

[nik butler]

Jon Fautley wrote:

> Alright Guys :)
>
> Thought I'd chime in with a few notes on this, as I've been doing a 
> metric assload of work with LDAP recently. (Probably more on this 
> later)...
>
> Firstly, Nik, well done, good presentation!

thanks Jon.. I can see by the fact that we did not see you that the full 
stealth mode cloak is in operation.

>
> Just a couple of points that might make people's lives easier when 
> looking to use this:
>
> 1. While it's not mentioned, the LDAP server Nik is using is OpenLDAP. 
> This is available with most, if not all, of the major distributions. 
> Debian, for some reason, calls it slapd - pretty much everything else 
> will call it OpenLDAP (i.e. yum install openldap-server 
> openldap-clients...etc)

You mean there are other Distributions than Debian.... <shudder>

>
> 2. LDAP Objects: An LDAP directory (it's NOT a database ;) ) is made 
> up of objects. Every item there is an object.
>
> It works like this:
>
> Jon Fautley << Object
>     -> sn: Fautley << Attribute
>     -> uid: jon    << Attribute

> etc....
>
> Objects and Attributes are what makes up an LDAP directory.

yes I think I said in my talk that LDAP objects are like this WHOLE 
other discussion and presentation most notably because they are both 
VERY SIMPLE and BLOODY OBSCURE at the same time.


>
> 3. The addressbook stuff.
>
> I don't really see why you're using the mozillaABPersonObsolete - as 
> the name implies, this schema is deprecated and should not be used. 
> The options availiable in here are in the standard schemas (see: 
> INetOrgPerson). The problem with using the Mozilla broken-schema is 
> that you're limiting the compatibility of your address book to 
> Mozilla-only clients. By using the standard systems, you can integrate 
> with many more addressbooks. While it's not perfect, it pretty much 
> JustWorks(tm) with most clients (albeit without write-support).

yeah we never did crack that in the other company though ... I guess 
youve had more exposure since then !

>
> 4. PHPLdapAdmin is a really cool tool - but you might also want to 
> look at Directory Administrator (http://diradmin.open-it.org/) if you 
> want something that's a little easier for the novice user. It's a GTK+ 
> application. While it's aimed at Centralised Authentication services, 
> it works quite well for addressbooks too.

i think you lost most people on the GTK part.  I like browser based 
management of server applications  but since i am using Ubuntu and KDE 
jointly more often then I will try it out.



>
> 5. Issues
>
> Write back support? I know certain client support this - you just need 
> to correctly configure the LDAP server to accept updates from clients. 
> This is, obviously, disabled by default.

In the clients ...e.g. Outlook and Mozilla it appears broken... well 
thats  what I understood.

>
> Security? You can very easily secure LDAP servers. By doing this 
> you're limiting who can access the directory, and who can update. 
> OpenLDAP has a VERY extensible authentication scheme, so each user can 
> manage their own entries, but nooone elses, 'Managers' can update 
> other information, etc...

yes .. another part of slapd which I did not touch ....

>
> LDAP coupled with TLS is a very secure solution, and should be 
> reasonably (ignoring all legal requirements) safe when exposed to the 
> Internet - as long as you've configured it correctly.


> Final Point - if you want to know more about Centralised 
> Authentication with LDAP - you might want to book tickets for the next 
> LinuxWorld expo... no promises, but there might be a talk on it ;)

You giving a talk eh <grin>

>
> Oh yeah, there should be the obligatory plug for the Fedora Directory 
> Server in here - it makes all this stuff so much more simple!

I actually want to play with that bit of sfotware for one of my 
customers in the Anglian Region.  Since I now run two sites for 
ReducedHackers  covering the South and the North of England and this 
means I want to look at that for one of my more larger customers whom 
have a very distributed configuration.