[SATLUG] SOHO LDAP

Daniel J. Givens daniel at rugmonster.org
Sun Jan 24 15:27:14 CST 2010


On 1/24/2010 2:15 PM, Frank Huddleston wrote:
> Has anyone here implemented a multi-computer configuration using LDAP?
> If so, I'd like to hear about it.

Yep. I ran it for a while. I used it for central user management for 
Linux and Samba. I also stored AutoFS information in LDAP to all of my 
Linux hosts had a common AutoFS configuration at all times.

> I think I heard that Red Hat might also have some kind of application
> like that

That is the Red Hat Directory Server and the free version, the 389 
Directory Server

http://www.redhat.com/directory_server/
http://directory.fedoraproject.org/

There's also OpenLDAP.

http://www.openldap.org/

When I was running my LDAP setup, I used OpenLDAP. I've never touched 
the Fedora/Red Hat directory server.

> and of course there is Active Directory, but that does
> require MS computers
> to run it

The thing to remember about Active Directory is that it's much more than 
just LDAP.

LDAP is just a directory service. It stores information like a database. 
You can configure systems to pull information from LDAP much like they 
would store the information in a local file, such as /etc/passwd, 
/etc/group, or even MySQL or other kind of RDBMS. It just stores stuff.

Active Directory, for example, provides Kerberos authentication, group 
policies, and other stuff and happens to use LDAP as the place to store 
the information. There are other server and client side pieces and parts 
that make up what is known as a whole as "Active Directory".

> So, I often hear people suggest using LDAP when I ask these
> multi-computer configuration and management issues, but now I'm asking:
> have any of you actually implemented such a thing, and if so, please
> tell me/us about it.

So LDAP is primarily used in large configurations as a means for 
Single-Sign-On style authentication. Via PAM modules, Linux systems can 
authenticate against an LDAP server. That way, there's one place for 
your users and groups and you don't have to worry about keeping that in 
sync on multiple systems. This is particularly important when using a 
lot of shared storage via NFS and keeping file ownership and permissions 
straight.

Like I said before, there are other things you can setup to use LDAP, 
such as AutoFS. In the past, I have setup OpenFire and Zimbra to get 
user information from an LDAP server. There have been a few web-based 
applications that I've setup as well. It all depends on if application X 
supports LDAP and for what it uses it for.

To get your LDAP server up and running, there are plenty of howtos out 
there that will get you up and running. A word of warning, LDAP has a 
lot to it. It's easy to get overwhelmed with it and you should get some 
understanding of it before relying on it too heavily.

On most Linux distributions these days, there is an easy way to setup 
your system to authenticate against an LDAP server. On Fedora/Red 
Hat-based systems, there is authconfig and authconfig-gtk.

So to not provide more technical, howto-style info. There is enough of 
that out there already.

So why did I stop using the setup? It was a pain and for the few systems 
I had, totally not worth it. I guess I did it as one of those 
do-it-to-see-what-it's-about projects.

The OpenLDAP admin guide has a great list that can help answer the "When 
should I use LDAP" question.

http://www.openldap.org/doc/admin24/intro.html#When should I use LDAP

Daniel


More information about the SATLUG mailing list