LDAP [was: Re: [plug] NFS]

[James Devenish]

In message <3ED7759D.1030709 at postnewspapers.com.au>
on Fri, May 30, 2003 at 11:15:41PM +0800, Craig Ringer wrote:
> On the server side, slapd is all you really need.
[...]
> Never mess with ldap over ssh, 
> its embarrasing when you shut down the ldap server then realise what 
> you've done.

A general note (probably not applicable to a home-office scenario) is
that OpenLDAP's slurpd replication works well (when it works).  It
allows you to replicate your directory over multiple machines and thus
provides some redundancy (esp. in the event that a machine goes down,
your sites lose their network interconnection, or you want to do
experimentation/upgrading on one of the replicas without affecting user
authentication). It is very fast (though that could depend on your
directory complexity and database back-end) so you usually don't have to
consider "propagation delay". Yet in my recent experience, a lot of
people seem to have an expectation that replication *should* take ages!
Note that if you are going to have an extensive directory, you may want
to avoid the ldbm backend (I don't use that backend but have heard
horror stories from people that do).

As a general authentication note, one 'save the day' feature is if your
authentication system allows multiple auth methods to be used. Thus if
your LDAP authentication breaks, you have a "fall back" authentication
method. For example, you may set your account up with LDAP auth and with
shadow passwd auth so that if LDAP goes down, you use the shadow
passwords instead. One approach is to periodically sync a machine's
shadow password file with the LDAP directory. But if you have directory
replicas, even this should not be necessary. People often aim (and I
think Craig mentioned something along these lines) to ensure that each
machine's root account is always accessible.

> It all makes sense once you get used to it, but it takes some getting
> used to.

In my opinion, a sorely lacking feature is "ordinality" for attributes
(i.e. if you have multiple attributes with the same name, which is
"primary", "secondary", etc.). There is an "options" feature for
attributes, but it cannot be used for ordinality.

PS. The OpenLDAP team pumps out new minor versions *very* quickly (so
quickly that my web cache probably has a shorter expiry time than
www.openldap.org's product release cycle :). Unfortunately, this means
that the documenters don't seem to have a chance to keep the docs
matching the software. And as for quality control...