On 03/05/18 at 05:12pm, Giancarlo Razzolini via arch-devops wrote:
Hi Guys,
Now that the wiki was migrated, I'm starting to work on the LDAP role. But, since this will certainly be a complex role and it will involve a lot of other roles/applications, I want to discuss with you some of the approaches we can take.
First of all, we need to choose on the Directory Service application that we are going to use:
1) OpenLDAP [0]: It's the established open source directory server and the basis for many others. We have it on [core]. It does support having more than one server, either in master-slave or multi-master (I'll talk more about topology below).
Pros: Being the "de facto" implementation and well know. It's relatively easy to setup and has multiple options for topology. Cons: It doesn't have any GUI tool for management and needs external projects (like phpldapadmin) to do so. Adding users sometimes requires messing with LDIF's and others.
2) 389-ds (formerly fedora ds) [1]: It's the second contender here. I have personally used it extensively in the past, so I might be biased towards it. It does not have an official package, but there is one on the AUR [2].
Pros: It is very easy to setup and comes up the console tool for management which is a java GUI. Also has a great multi-master replication support. Cons: We don't package it currently and it's somewhat more intensive on resource usage than OpenLDAP.
3) FreeIPA [3]: It is basically a bundle of a lot of software that is complimentary to a DS but not always required, like DNS, NTP server, Kerberos and PKI. It's DS part is provided by 389-ds.
Pros: Easier to setup than OpenLDAP, has a nice web management tool and comes with a lot of pre-configured stuff. Cons: It is complex and has a lot of stuff that's not required for our use case. Also does not have an official package, and doesn't have a server package on the AUR either.
4) Samba 4 [4]: Since Samba 4, you can create one DS quite easily, there's even a wizard for it. It uses OpenLDAP, bind and some other bundled stuff behind the scenes, just like FreeIPA does.
Pros: It is quite easy to setup and we have it packaged. Cons: It is more meant for AD integration and I think we can assume there won't be any possibility of that happening in the near future.
Thanks for the list, I've only worked with OpenLDAP on an amateur level :-) I'm eager to also see a list of how easy it would be to integrate either of these options with our application stack, as in what do we want to move to LDAP? * archweb * bbs * bugtracker * aurweb * ssh auth? * kanban board? -- Jelle van der Waa