kief.com

Sporadically delivered thoughts on Continuous Delivery

Whipping Up a Solid LDAP Infranstructure

| Comments

I’ve been much too quiet lately. I’m still hard at work putting together what I hope will be a very strong infrastructure for my company’s application hosting operations, with about 15 servers for production, content management, and staging and testing.

One of the core components of this infrastructure is an OpenLDAP server, which I’ve been working on over the past week. Up until now it’s been enough to have a couple of accounts which are created locally on all of the servers by puppet. I’ve got a chunk of disk space on a SAN which is shared across the machines, which is handy for having a common home area for key accounts I use to login and administer the machines, as well as the puppet templates and manifests.

I’ve added the LDAP server not so much for the server login accounts as for some of the services that we’re putting in place for use by the company, in particular a wiki and bug tracking. Rather than having user accounts scattered across various applications and services, LDAP means everyone can have just one username, and one password, and most things that require user accounts are able to integrate with it.

LDAP does have some limitations. There are no really polished admin tools, most of what’s out there is pretty rough and ready, with serious gaps. There’s a reasonable collection of links to ldap tools on the bind9 site.

The biggest gap for me is letting users manage their own accounts, especially resetting passwords. Most of the users in my directory won’t have login accounts on the servers, so I can’t just whip up a script that they can use like “passwd”.

I’ve settled on Gosa, which is actually a pretty nice, if some sketchily documented, tool. Once you’ve got it configured, it lets you create, edit, and delete users and groups, as well as other directory thingies I’m not using yet like machines and applications. Users can also be permitted to log in and edit fields which you enable, including the password. This is great, because it means users can change their own passwords from the Web UI.

Gosa is missing one feature I need, a “lost password” capability. You can only change your password if you know yoru current one. I intend to write a little script that takes a username, generates and sets a random password using ldappasswd, and emails it to the address in their directory entry with a little templated email message.

When a user forgets their password I’ll have to run this script by hand, but it’ll be quick and simple to run it. If I felt brave I could wrap it in a CGI script to let users run it themselves, but that would open it up to abuse. Even though it wouldn’t let a baddy steal accounts, it would let them annoy users by resetting passwords.

Alexander Prohorenko wrote a decent article for ONLamp about setting up Gosa, which I found very helpful.

Comments