[arch-devops] LDAP role

Jelle van der Waa jelle at vdwaa.nl
Tue Mar 6 09:58:21 UTC 2018 

On 03/05/18 at 05:12pm, Giancarlo Razzolini via arch-devops wrote:
> Hi Guys,
> 
> Now that the wiki was migrated, I'm starting to work on the LDAP role. But,
> since this will certainly be a complex role and it will involve a lot of other
> roles/applications, I want to discuss with you some of the approaches we can take.
> 
> First of all, we need to choose on the Directory Service application that we are
> going to use:
> 
> 1) OpenLDAP [0]: It's the established open source directory server and the basis for many
> others. We have it on [core]. It does support having more than one server, either in
> master-slave or multi-master (I'll talk more about topology below).
> 
> Pros: Being the "de facto" implementation and well know. It's relatively easy to setup and
> has multiple options for topology.
> Cons: It doesn't have any GUI tool for management and needs external projects (like phpldapadmin)
> to do so. Adding users sometimes requires messing with LDIF's and others.
> 
> 2) 389-ds (formerly fedora ds) [1]: It's the second contender here. I have personally used
> it extensively in the past, so I might be biased towards it. It does not have an official
> package, but there is one on the AUR [2].
> 
> Pros: It is very easy to setup and comes up the console tool for management which is a java GUI.
> Also has a great multi-master replication support.
> Cons: We don't package it currently and it's somewhat more intensive on resource usage than OpenLDAP.
> 
> 3) FreeIPA [3]: It is basically a bundle of a lot of software that is complimentary to a DS but not
> always required, like DNS, NTP server, Kerberos and PKI. It's DS part is provided by 389-ds.
> 
> Pros: Easier to setup than OpenLDAP, has a nice web management tool and comes with a lot of pre-configured
> stuff.
> Cons: It is complex and has a lot of stuff that's not required for our use case. Also does not have an
> official package, and doesn't have a server package on the AUR either.
> 
> 4) Samba 4 [4]: Since Samba 4, you can create one DS quite easily, there's even a wizard for it. It uses
> OpenLDAP, bind and some other bundled stuff behind the scenes, just like FreeIPA does.
> 
> Pros: It is quite easy to setup and we have it packaged.
> Cons: It is more meant for AD integration and I think we can assume there won't be any possibility of that
> happening in the near future.
> 

Thanks for the list, I've only worked with OpenLDAP on an amateur level
:-)


I'm eager to also see a list of how easy it would be to integrate either
of these options with our application stack, as in what do we want to
move to LDAP?

* archweb
* bbs
* bugtracker
* aurweb
* ssh auth?
* kanban board?

-- 
Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-devops/attachments/20180306/878eeb52/attachment.asc>

More information about the arch-devops mailing list