LDAP - how can I use it in real life? - Networking

This is a discussion on LDAP - how can I use it in real life? - Networking ; I've been reading about LDAP and Active Directory. However most of the articles are about how to set it up and what features it has. What I haven't been able to figure out is why would I want to use ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: LDAP - how can I use it in real life?

  1. LDAP - how can I use it in real life?

    I've been reading about LDAP and Active Directory. However most of the
    articles are about how to set it up and what features it has.

    What I haven't been able to figure out is why would I want to use it.

    Here's the background. We have a network that hosts about 20 or so office
    users. Some are Linux, the rest are, well ....
    These users keep their documents, spreadsheets, files on their own
    machines. Email is kept on a central server - unless they decide to
    download mails to their own PCs.

    From what I've read about LDAP it lets you administer users and their
    access. Now I've found that /etc/passwd does that just fine - am I
    missing something here?
    It seems to have the ability to tell you where things are. Can I set it
    up to (for example) get me copies of all documents we've written that
    contain the word "Confucius"? or what changes were made to a spreadsheet
    between May 5 and August 19?

    It seems there's a lot of overhead in setting up LDAP and once up, it
    will need administering. I can't say that it sounds like a good deal.
    Should I keep things the way they are, or can I get benefits from adopting
    LDAP somehow?

    Your insights would be appreciated
    Thanks,
    Pete

    --
    .................................................. .........................
    .. never trust a man who, when left alone ...... Pete Lynch .
    .. in a room with a tea cosy ...... Marlow, England .
    .. doesn't try it on (Billy Connolly) .....................................


  2. Re: LDAP - how can I use it in real life?

    Peter Lynch writes:

    >Here's the background. We have a network that hosts about 20 or so office
    >users. Some are Linux, the rest are, well ....
    >These users keep their documents, spreadsheets, files on their own
    >machines. Email is kept on a central server - unless they decide to
    >download mails to their own PCs.


    >From what I've read about LDAP it lets you administer users and their
    >access. Now I've found that /etc/passwd does that just fine - am I
    >missing something here?


    The problem comes about when you have a number of hosts - and as you've
    said you've got 20 hosts, you'll probably find you'll have this issue sooner
    or later - and keeping the passwd files consistent across all of them.

    For example, when a new person starts at your organisation, you'll have to
    create their account on all twenty hosts (presuming they are meant to have
    access to all of them). Sure, you can get around this by scripting up cron
    jobs to copy /etc/passwd, /etc/shadow and /etc/group to all the servers every
    hour or so, but that's a messy solution and you then have to ensure that
    users only ever change their password on the master server.

    LDAP lets you have a central database where user details are stored,
    and all the hosts will then refer to that database when looking up any
    user details. Furthermore, its replication abilities let you set up slave
    servers so you don't have a single point of failure.

    >It seems to have the ability to tell you where things are. Can I set it
    >up to (for example) get me copies of all documents we've written that
    >contain the word "Confucius"? or what changes were made to a spreadsheet
    >between May 5 and August 19?


    LDAP doesn't have anything to do with files on hosts; typically you'd use it
    just for user/authentication details, group info, possibly hostnames (DNS
    is a better place for that, though).

    But having your users store their day-to-day work (and email) on their local
    machines is asking for problems. Do you back-up every desktop PC? If not, a
    single hard-drive failure could wipe all a user's work in a matter of seconds;
    and HDDs are notoriously unreliable.

    If it were me, I'd be putting in a central fileserver, using RAID so that
    a single drive failure won't result in any data loss, sharing it out to all
    the desktop hosts with Samba, and installing some sort of backup system
    (most likely tape, so that they can be taken offsite).

    >It seems there's a lot of overhead in setting up LDAP and once up, it
    >will need administering. I can't say that it sounds like a good deal.


    The overhead is really just learning it; once you're familiar with it,
    setting it up isn't really hard, and there's not a lot of administration
    to it at all, once it's running. For a small set of users (say, up to a few
    thousand), I could imagine an LDAP server being able to run for years without
    any further administration, barring security upgrades or hardware failures.

    I've run OpenLDAP servers with over a million user records in them; that's more
    difficult, because you need to spend a lot of time tuning it.

    >Should I keep things the way they are, or can I get benefits from adopting
    >LDAP somehow?


    Well, I can't really speak for your situation, given that you have Windows
    hosts as well as Linux hosts, but if I had a network of 20 Linux-only hosts, I
    would definitely be setting up LDAP (hooked in with pam-ldap) to handle all
    authentication. Throwing Windows into the mix will probably mean fiddling
    around with AD; I don't know much about that at all, other than it being an
    LDAP server with a Microsoft flavour to it.

    Cheers,

    Paul.


    --
    Paul Dwerryhouse | PGP Key ID: 0x6B91B584
    ================================================== ======================

    http://linoleum.leapster.org/ - Linux Programming Resources

  3. Re: LDAP - how can I use it in real life?

    Peter Lynch wrote:
    > I've been reading about LDAP and Active Directory. However most of the
    > articles are about how to set it up and what features it has.
    >
    > What I haven't been able to figure out is why would I want to use it.
    >
    > Here's the background. We have a network that hosts about 20 or so office
    > users. Some are Linux, the rest are, well ....
    > These users keep their documents, spreadsheets, files on their own
    > machines. Email is kept on a central server - unless they decide to
    > download mails to their own PCs.
    >
    > From what I've read about LDAP it lets you administer users and their
    > access. Now I've found that /etc/passwd does that just fine - am I
    > missing something here?
    > It seems to have the ability to tell you where things are. Can I set it
    > up to (for example) get me copies of all documents we've written that
    > contain the word "Confucius"? or what changes were made to a spreadsheet
    > between May 5 and August 19?
    >
    > It seems there's a lot of overhead in setting up LDAP and once up, it
    > will need administering. I can't say that it sounds like a good deal.
    > Should I keep things the way they are, or can I get benefits from adopting
    > LDAP somehow?
    >
    > Your insights would be appreciated
    > Thanks,
    > Pete
    >


    Possible use scenarios include, but not limited to:
    * Global Address Book
    * User Administration for networkwide Logon (almost like single sign on,
    if you don't want to use Kerberos)
    * Tree Based Database

    HTH
    /peter

  4. Re: LDAP - how can I use it in real life?

    Peter Ludikovsky wrote:

    > Possible use scenarios include, but not limited to:
    > * Global Address Book
    > * User Administration for networkwide Logon (almost like single sign on,
    > if you don't want to use Kerberos)
    > * Tree Based Database


    I've been trying to set up an openLDAP address book for some time,
    and found it very frustrating.
    I want to use it with KDE, in particular kaddressbook,
    which claims to work with LDAP,
    but I have yet to find out how.

    Any help in this gratefully received.


    --
    Timothy Murphy
    e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
    tel: +353-86-2336090, +353-1-2842366
    s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

  5. Re: LDAP - how can I use it in real life?

    On Thu, 31 Jan 2008 22:27:36 +1100, Paul Dwerryhouse wrote:
    > Peter Lynch writes:
    >
    >>Here's the background. We have a network that hosts about 20 or so office
    >>users. Some are Linux, the rest are, well ....
    >>These users keep their documents, spreadsheets, files on their own
    >>machines. Email is kept on a central server - unless they decide to
    >>download mails to their own PCs.

    >
    >>From what I've read about LDAP it lets you administer users and their
    >>access. Now I've found that /etc/passwd does that just fine - am I
    >>missing something here?

    >
    > The problem comes about when you have a number of hosts - and as you've
    > said you've got 20 hosts, you'll probably find you'll have this issue sooner
    > or later - and keeping the passwd files consistent across all of them.
    >
    > For example, when a new person starts at your organisation, you'll have to
    > create their account on all twenty hosts (presuming they are meant to have
    > access to all of them). Sure, you can get around this by scripting up cron
    > jobs to copy /etc/passwd, /etc/shadow and /etc/group to all the servers every
    > hour or so, but that's a messy solution and you then have to ensure that
    > users only ever change their password on the master server.
    >
    > LDAP lets you have a central database where user details are stored,
    > and all the hosts will then refer to that database when looking up any
    > user details. Furthermore, its replication abilities let you set up slave
    > servers so you don't have a single point of failure.
    >

    Thanks for the reply Paul.
    By the sounds of it, it's just NIS+ by a different name


    --
    .................................................. .........................
    .. never trust a man who, when left alone ...... Pete Lynch .
    .. in a room with a tea cosy ...... Marlow, England .
    .. doesn't try it on (Billy Connolly) .....................................


  6. Re: LDAP - how can I use it in real life?

    On 2008-01-31, Peter Lynch wrote:
    >
    > Thanks for the reply Paul.
    > By the sounds of it, it's just NIS+ by a different name


    When used for un*x authentication/authorization, then yes, but LDAP can
    also be used in other environments. Some clients can use it as a phone
    book; I've also seen it used for authentication in web applications
    (e.g. using Apache::AuthLDAP). Unless you already have an existing
    NIS/NIS+ infrastructure, I think it makes a little more sense to use
    LDAP instead.

    --keith

    --
    kkeller-usenet@wombat.san-francisco.ca.us
    (try just my userid to email me)
    AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
    see X- headers for PGP signature information


  7. Re: LDAP - how can I use it in real life?

    Peter Lynch wrote:

    ....
    > Thanks for the reply Paul.
    > By the sounds of it, it's just NIS+ by a different name
    >

    With the added benefit it also works for windows users on the domain.
    You can authenticate unix clients and assign server-based home directories
    using nss-ldap, and use the samba/cifs interface with samba/ldap as a
    domain server for windows clients, at the same time. All that with a single
    database on the ldap server. We use a distributed (branch offices) setup
    with one master ldap server, and branch slave servers. Therefore, even if
    the wan connection gets interrupted, users can logon using the local slave
    ldap database - they just cannot change passwords as long as the connection
    is dead, since that requires forwarding to the master.
    Also, all windows users see the same domain (and samba branch office servers
    set to use the same domain sid).
    --
    vista policy violation: Microsoft optical mouse found penguin patterns
    on mousepad. Partition scan in progress to remove offending
    incompatible products. Reactivate MS software.
    Linux 2.6.23.9-2mdvtmbcustom. [LinuxCounter#295241,ICQ#4918962]

  8. Re: LDAP - how can I use it in real life?


    > Thanks for the reply Paul.
    > By the sounds of it, it's just NIS+ by a different name


    Yes and no. It's quite different from NIS+. NIS+ is proprietary and
    deprecated. LDAP is a full blown distributed database system suitable for
    data that changes infrequently.

    But yes, it can store the same kind of information as NIS+, there are also
    popular tools to use it for the same purposes as NIS+.

    LDAP traffic may be encrypted with SSL/TLS: in this case, the LDAP server
    has a SSL certificate.

    NIS+ is also an authentication system which LDAP is not.

    LDAP relies on some external authentication method.
    I.E. You may utilize LDAP to serve your user data, and Kerberos 5 to
    perform the authentication.

    Perhaps just include the ordinary crypt hash using the "userPassword"
    attribute; but this may not be a best practice (if you allow every
    machine on your network to see every user's password hash)



    Maybe you include a public key in your LDAP database, and rely
    on each local host to perform some sort of authentication based on the
    public key.


    I.E. Perhaps you have a SSH server capable of the "public key
    authentication feature" and able to perform a LDAP query for the user's
    public key, instead of looking for a ~user/.ssh/authorized_keys file.


    And a SUDO daemon capable of querying LDAP to determine if user X is
    allowed to become root on _this_ system.


    For local console login, you may need something different
    (you need to be able to login to troubleshoot, perhaps if the network
    connection is dead.)

    --
    -Mysid

+ Reply to Thread