Hi,
I am in process of designing schema for my recent project with really basic skill set and found this article really interesting :
http://www.skills-1st.co.uk/papers/ldap-schema-design-feb-2005/ldap-schema-d...
I am wondering what all things one should really keep in mind before putting LDAP schema together and in general what could cause potential overhead or considered BAD design ? Also would love to know if there is any other article/ book addressing my concerns.
Thanks for the help and support.
One search at Amazon returned the following book which has excellent reviews:
http://www.amazon.com/Mastering-OpenLDAP-Configuring-Integrating-Directo ry/dp/1847191029/ref=pd_sim_b_5 http://www.amazon.com/Mastering-OpenLDAP-Configuring-Integrating-Direct ory/dp/1847191029/ref=pd_sim_b_5
I used to have something similar, but I left it (with a couple of other books) in my employers library for collegeas to read.
I think that it will be very difficult for someone to recommend/warn you for something if you don't mention anything specific you want to do and on 'what scale'.
________________________________
Van: openldap-technical-bounces@OpenLDAP.org [mailto:openldap-technical-bounces@OpenLDAP.org] Namens sim123 Verzonden: dinsdag 15 maart 2011 19:09 Aan: openldap-technical@openldap.org Onderwerp: Any consideration while designing schema
Hi,
I am in process of designing schema for my recent project with really basic skill set and found this article really interesting :
http://www.skills-1st.co.uk/papers/ldap-schema-design-feb-2005/ldap-sche ma-design-feb-2005.pdf
I am wondering what all things one should really keep in mind before putting LDAP schema together and in general what could cause potential overhead or considered BAD design ? Also would love to know if there is any other article/ book addressing my concerns.
Thanks for the help and support.
Thanks for reply, I started reading the book & IBM redbook. I want to understand good and bad practices in general, while designing the schema or while programming.
For example, I have one client who is talking to LDAP server and this client itself is a server ("myserver") for thousands of other clients, now I would like to know what should be the best way to authenticate those other clients from LDAP client (or "myserver" )
1. Open a new session with server every time a client wants to connect, authenticate it and close the session again or 2. Keep a session open from myserver and search for RDN & password every time a client wants to connect.
1st option looks costly to me where as I don't know if 2nd option is considered as good practice or not.
Please excuse me, if this confusion sounds stupid to you guys as I am really new to openLDAP or LDAP in general. Hope, after reading couple of books I will be in a better position. However, would really appreciate if someone could get back to me on this issue or guide me to general good/bad practices.
Thanks for all the help and support.
On Wed, Mar 16, 2011 at 2:32 AM, Germ van Eck g.vanek@stationtostation.nlwrote:
One search at Amazon returned the following book which has excellent reviews:
http://www.amazon.com/Mastering-OpenLDAP-Configuring-Integrating-Directory/d...
I used to have something similar, but I left it (with a couple of other books) in my employers library for collegeas to read.
I think that it will be very difficult for someone to recommend/warn you for something if you don’t mention anything specific you want to do and on ‘what scale’.
*Van:* openldap-technical-bounces@OpenLDAP.org [mailto: openldap-technical-bounces@OpenLDAP.org] *Namens *sim123 *Verzonden:* dinsdag 15 maart 2011 19:09 *Aan:* openldap-technical@openldap.org *Onderwerp:* Any consideration while designing schema
Hi,
I am in process of designing schema for my recent project with really basic skill set and found this article really interesting :
http://www.skills-1st.co.uk/papers/ldap-schema-design-feb-2005/ldap-schema-d...
I am wondering what all things one should really keep in mind before putting LDAP schema together and in general what could cause potential overhead or considered BAD design ? Also would love to know if there is any other article/ book addressing my concerns.
Thanks for the help and support.
-- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean.
-- This message has been scanned for viruses and dangerous content by *MailScanner* http://www.mailscanner.info/, and is believed to be clean.
On Wed, Mar 16, 2011 at 11:20:41AM -0700, sim123 wrote:
For example, I have one client who is talking to LDAP server and this client itself is a server ("myserver") for thousands of other clients, now I would like to know what should be the best way to authenticate those other clients from LDAP client (or "myserver" )
That is not really a schema-design issue, but is certainly one of good practise.
- Open a new session with server every time a client wants to connect,
authenticate it and close the session again or
Many systems do that, but it is not efficient if there is much authentication traffic.
- Keep a session open from myserver and search for RDN & password every
time a client wants to connect.
Holding the session open is probably good in this case, but searching for passwords is not. I would suggest that the "myserver" system should do something like this:
Open an LDAP session and bind as a service user. The service-specific user helps when reading audit logs, and also allows for access to things that anon users cannot see.
For each authentication:
Search for the username and note the DN
Try to re-bind the same session using the DN and the password that the user supplied. If this succeeds then the user is OK.
Retrieve any other information that is needed for the user's login session.
Re-bind the session as the service user.
You will also need to take care of connection failures, and it is wise to close the session if it is inactive for more than about 20 minutes. (If the LDAP session has to go through a firewall, it is likely that the firewall will silently drop the session after 30-60 minutes, causing major delays next time it is needed.)
Depending on what "myserver" is and what it is doing, you may find that existing open software will do a lot of this for you. In particular, look at nssov in the OpenLDAP contrib section, and Arthur de Jong's nss-pam-ldapd. Some Linux distros package these, so you may be able to base your system on PAM and NSS configs.
Andrew
Thanks you so much, I very much appreciate your reply. I will try your suggestion and post, if things are not as accepted.
When I was starting with openLDAP, couple of friends told me that "don't you worry ... there mailing list it very helpful" and they were absolutely right. Lots of kudos to you guys!!
Thanks.
On Thu, Mar 17, 2011 at 3:30 AM, Andrew Findlay < andrew.findlay@skills-1st.co.uk> wrote:
On Wed, Mar 16, 2011 at 11:20:41AM -0700, sim123 wrote:
For example, I have one client who is talking to LDAP server and this
client
itself is a server ("myserver") for thousands of other clients, now I
would
like to know what should be the best way to authenticate those other
clients
from LDAP client (or "myserver" )
That is not really a schema-design issue, but is certainly one of good practise.
- Open a new session with server every time a client wants to connect,
authenticate it and close the session again or
Many systems do that, but it is not efficient if there is much authentication traffic.
- Keep a session open from myserver and search for RDN & password every
time a client wants to connect.
Holding the session open is probably good in this case, but searching for passwords is not. I would suggest that the "myserver" system should do something like this:
Open an LDAP session and bind as a service user. The service-specific user helps when reading audit logs, and also allows for access to things that anon users cannot see. For each authentication: Search for the username and note the DN Try to re-bind the same session using the DN and the password that the user supplied. If this succeeds then the user is OK. Retrieve any other information that is needed for the user's login session. Re-bind the session as the service user.You will also need to take care of connection failures, and it is wise to close the session if it is inactive for more than about 20 minutes. (If the LDAP session has to go through a firewall, it is likely that the firewall will silently drop the session after 30-60 minutes, causing major delays next time it is needed.)
Depending on what "myserver" is and what it is doing, you may find that existing open software will do a lot of this for you. In particular, look at nssov in the OpenLDAP contrib section, and Arthur de Jong's nss-pam-ldapd. Some Linux distros package these, so you may be able to base your system on PAM and NSS configs.
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |
openldap-technical@openldap.org
-
Andrew Findlay -
Germ van Eck -
sim123