Slashdot Mirror

← Back to Stories (view on slashdot.org)

Directory Service Implementation From Scratch?

Posted by timothy on from the just-have-everyone-shout dept.

An anonymous reader writes "I work at a small but growing startup company. Currently, our directory and authentication information is scattered across many systems and wikis, and is becoming increasingly difficult to manage. We are looking at centralizing this information in a directory service to minimize administrative overhead as we continue to grow. The service must support basic directory searches, as well as user authentication for Linux and Windows hosts. Although we are primarily a Linux shop, there are a handful of Windows systems that will be on a Windows Active Directory domain. Most directory servers seem to support integration with other directory servers, however it seems like it may be easiest to just use Active Directory for everything. Are there any pitfalls with this approach? If you had the chance to redesign your enterprise directory service without regard for legacy services, how would you do it?"

4 of 149 comments (clear)

  1. Start with SQL by unified_diff · · Score: 3, Interesting

    Yes, SQL. If you keep your raw data in SQL, it is easy to export data to any format you might need now or in the future. LDAP gets you a long way, but you will sooner or later end up with several apps that don't support it. The result is horrible password sync hacks, multiple passwords per user, etc.

    The idea is to put raw user info in SQL, including their clear-text password. Of course, lock down that SQL server like you've never locked down anything before! It should have a very limited interface for updating user data. Next, export user data to relevant external databases such as LDAP, NIS, SASL, that obscure sqlite app, Kerberos, DMZ services, etc, and you'll have much less pain keeping everything in sync.

    An implementation of this scheme is running on many of the biggest universities in Norway, and is called Cerebrum, http://www.cerebrum.usit.uio.no/english.html. User administration happens through a frontend interface appropriately named BOFH, where users and admins can change data in a secure manner. Users can change certain of their own attributes, while admins have more power. It's worth checking out (although their sf.net wiki seems to be down at the moment, unfortunately).

  2. Re:Easy by ogrius · · Score: 3, Interesting

    The other thing you can consider is whether to split the directory services and the authentication.

    At my last job we did the following:

    - Use Windows AD for all windows machines
    - Use NIS for passwd, group, automounter maps... everything but authentication.
    - And then key the Linux machines to use Kerberos off the Active Directory

    Now if I was doing it again, I'd do the following:

    - Use Windows AD for all windows machines
    - Setup up a UNIX/Linux based Kerberos domain that "trusted" by the AD Kerberos
    - Use NIS, NIS+ or LDAP from Windows AD for directory services for UNIX/Linux

    - Setup all the UNIX/Linux machines on the UNIX/Linux Kerberos domain and have them use the windows domain for user authentication.

    The adavantage to this would be that once you have a valid ticket you can securely log into any of the machines. Plus then you could securely setup NFS v4.

    As for which NIS, NIS+ or LDAP to use, I haven't looked into recently.

    And why I would use two Kerberos domains is that the Windows AD says it should play nice with Linux machines and allow you at keys onto them. But the commands from Microsoft never worked. I used a simple utility from some consulting company that worked well, but it wasn't supported and there it seemed to be hitting some hard limits. Since I'd hate to wait for Microsoft to fix their setup, I'd use two domains but setup a trust between them.

  3. Re:Easy by wasabii · · Score: 3, Interesting

    Uh huh. So what's wrong with AD?

  4. Re:Novell.......no seriously by JSG · · Score: 3, Interesting

    and +1 for eDir from me as well.

    I have a blackbelt in directory management (AD, eDir and OpenLDAP)

    eDirectory has a nasty habit of being virtually unkillable and is by far and away the most flexible. With 8.8 you can run multiple trees on a host (in MS speak think of multiple domains on a single DC) No waste of a system to just do DC duties for one bit of your system.

    If you want the most powerfull directory option then use eDir as your metadirectory and then use IDM to populate other directories and applications as needed (eg MySQL, Oracle, text files, Exchange, GroupWise, NIS, etc ad nauseam)

    IDM is phenomenally powerfull, the iManager plugin is as a shining example of how to do a webapp or use Designer, an Eclipse based thingie is great too and has a huge feature set -even churns out your documentation.

    AD doesn't really cut it as a LDAP system - compare the rich schema of eDir to AD for example, also you can put replicas where ever you want (it is not DNS federated unless you want it to be)

    Steep learning curve but really well worth it.

    Grab an eval of Open Enterprise Server 2 (SuSE based), try it out properly, wedge in Identity Manager and you'll be spending cash on the product.