Hi Guys, Now that the wiki was migrated, I'm starting to work on the LDAP role. But, since this will certainly be a complex role and it will involve a lot of other roles/applications, I want to discuss with you some of the approaches we can take. First of all, we need to choose on the Directory Service application that we are going to use: 1) OpenLDAP [0]: It's the established open source directory server and the basis for many others. We have it on [core]. It does support having more than one server, either in master-slave or multi-master (I'll talk more about topology below). Pros: Being the "de facto" implementation and well know. It's relatively easy to setup and has multiple options for topology. Cons: It doesn't have any GUI tool for management and needs external projects (like phpldapadmin) to do so. Adding users sometimes requires messing with LDIF's and others. 2) 389-ds (formerly fedora ds) [1]: It's the second contender here. I have personally used it extensively in the past, so I might be biased towards it. It does not have an official package, but there is one on the AUR [2]. Pros: It is very easy to setup and comes up the console tool for management which is a java GUI. Also has a great multi-master replication support. Cons: We don't package it currently and it's somewhat more intensive on resource usage than OpenLDAP. 3) FreeIPA [3]: It is basically a bundle of a lot of software that is complimentary to a DS but not always required, like DNS, NTP server, Kerberos and PKI. It's DS part is provided by 389-ds. Pros: Easier to setup than OpenLDAP, has a nice web management tool and comes with a lot of pre-configured stuff. Cons: It is complex and has a lot of stuff that's not required for our use case. Also does not have an official package, and doesn't have a server package on the AUR either. 4) Samba 4 [4]: Since Samba 4, you can create one DS quite easily, there's even a wizard for it. It uses OpenLDAP, bind and some other bundled stuff behind the scenes, just like FreeIPA does. Pros: It is quite easy to setup and we have it packaged. Cons: It is more meant for AD integration and I think we can assume there won't be any possibility of that happening in the near future. There are some other options, but they are either outdated or do not provide everything we need. Having discussed DS software options, I want to discuss regarding the topology. The idea is to eventually bring all the applications and systems authenticating to this DS. In order for us to do that, more than one will be required to handle the load. We have the master-slave relationship or the multi-master one. There are arguments pro and con to both, but I like the description that the OpenLDAP documentation gives [5]. I would say for us to set a master and each machine having its own slave server running. TLS should be used everywhere, but I don't think we need to set TLS client authentication, at least, not for now (see below). We have to define if we are going to use the plain internet for this or some private network. I'm bringing this up right now, because we need to decide if we are going to allow anonymous connections to the DS (I'm against it) to query for users or not. Basically if we are going to allow anyone to query it or not. If not, then we need to use SASL or other mechanism for authenticating the clients, which compounds on the complexity. There's also the possibility of limiting the fields that anonymous clients can query, as well as the number of queries/responses. This would be similar to the AUR TOS case, but for everything, so it should be discussed upfront. I'm eager to hear your replies and whatever we decide here we should bring to adp for further enhancements. I don't want to turn this into a bikeshed discussion, though. So, keep your ideas within the limits of what was presented. Regards, Giancarlo Razzolini [0] https://www.openldap.org/ [1] http://directory.fedoraproject.org/ [2] https://aur.archlinux.org/packages/389-ds-base/ [3] https://www.freeipa.org/page/Main_Page [4] https://www.samba.org/ [5] http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master%20...