[arch-devops] LDAP role

Giancarlo Razzolini grazzolini at archlinux.org
Mon Mar 5 20:12:34 UTC 2018 

Hi Guys,

Now that the wiki was migrated, I'm starting to work on the LDAP role. But,
since this will certainly be a complex role and it will involve a lot of other
roles/applications, I want to discuss with you some of the approaches we can take.

First of all, we need to choose on the Directory Service application that we are
going to use:

1) OpenLDAP [0]: It's the established open source directory server and the basis for many
others. We have it on [core]. It does support having more than one server, either in
master-slave or multi-master (I'll talk more about topology below).

Pros: Being the "de facto" implementation and well know. It's relatively easy to setup and
has multiple options for topology.
Cons: It doesn't have any GUI tool for management and needs external projects (like phpldapadmin)
to do so. Adding users sometimes requires messing with LDIF's and others.

2) 389-ds (formerly fedora ds) [1]: It's the second contender here. I have personally used
it extensively in the past, so I might be biased towards it. It does not have an official
package, but there is one on the AUR [2].

Pros: It is very easy to setup and comes up the console tool for management which is a java GUI.
Also has a great multi-master replication support.
Cons: We don't package it currently and it's somewhat more intensive on resource usage than OpenLDAP.

3) FreeIPA [3]: It is basically a bundle of a lot of software that is complimentary to a DS but not
always required, like DNS, NTP server, Kerberos and PKI. It's DS part is provided by 389-ds.

Pros: Easier to setup than OpenLDAP, has a nice web management tool and comes with a lot of pre-configured
stuff.
Cons: It is complex and has a lot of stuff that's not required for our use case. Also does not have an
official package, and doesn't have a server package on the AUR either.

4) Samba 4 [4]: Since Samba 4, you can create one DS quite easily, there's even a wizard for it. It uses
OpenLDAP, bind and some other bundled stuff behind the scenes, just like FreeIPA does.

Pros: It is quite easy to setup and we have it packaged.
Cons: It is more meant for AD integration and I think we can assume there won't be any possibility of that
happening in the near future.

There are some other options, but they are either outdated or do not provide everything we need.

Having discussed DS software options, I want to discuss regarding the topology. The idea is to eventually
bring all the applications and systems authenticating to this DS. In order for us to do that, more than
one will be required to handle the load. We have the master-slave relationship or the multi-master one.
There are arguments pro and con to both, but I like the description that the OpenLDAP documentation
gives [5].

I would say for us to set a master and each machine having its own slave server running. TLS should be
used everywhere, but I don't think we need to set TLS client authentication, at least, not for now (see
below).

We have to define if we are going to use the plain internet for this or some private network. I'm
bringing this up right now, because we need to decide if we are going to allow anonymous connections
to the DS (I'm against it) to query for users or not. Basically if we are going to allow anyone to query
it or not. If not, then we need to use SASL or other mechanism for authenticating the clients, which
compounds on the complexity. There's also the possibility of limiting the fields that anonymous clients
can query, as well as the number of queries/responses. This would be similar to the AUR TOS case, but
for everything, so it should be discussed upfront.

I'm eager to hear your replies and whatever we decide here we should bring to adp for further enhancements.
I don't want to turn this into a bikeshed discussion, though. So, keep your ideas within the limits of what
was presented.

Regards,
Giancarlo Razzolini

[0] https://www.openldap.org/
[1] http://directory.fedoraproject.org/
[2] https://aur.archlinux.org/packages/389-ds-base/
[3] https://www.freeipa.org/page/Main_Page
[4] https://www.samba.org/
[5] http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master%20replication
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 870 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20180305/0da82107/attachment.sig>

More information about the arch-devops mailing list