Whats in your LDAP?

Michael L Torrie torriem at chem.byu.edu
Mon Oct 22 12:02:55 MDT 2007

Grant Shipley wrote:
> We use Red Hat Directory Server here at Red Hat as the back end of our
> SSO implementation.  Anytime you log in to redhat.com or RHN, you are
> binding via LDAP.

Hmm.  This is interesting considering that although everyone does this,
but it raises the point that LDAP really is an authorization solution,
not an authentication solution.  Thus people often say "use LDAP" when
they really mean one should use kerberos, or something similar.  I'm
betting RH is using SASL and kerberos on the back end; I certainly hope
my RHN credentials are not stored in LDAP!  In the ideal world, there
should never be any password information whatsoever stored in LDAP.
LDAP binds as an authentication solution work well, but you need to make
sure that SASL or Kerberos is being used to actually validate the
binding credentials, rather than a field in LDAP itself.

I violated this rule in my own LDAP presentation, but it's something
anyone messing with LDAP should be concerned about.  I cringe every time
I see Samba hashes in my own LDAP database.  I'd love to do it
differently but Samba currently doesn't have a different mechanism until
Samba 4 is released.

> We are running a master/master setup and have no performance problems
> with the amount of logins we get  on a daily basis.

I'd love to see a presentation at PLUG or UUG on setting up Fedora
Directory Server from scratch.  I'm longing to ditch OpenLDAP forever.

> Let me know if you have any questions about our implementation for the
> supporting stack.

The binds are authenticated against a non-LDAP authentication source, right?

> --
> grant
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */

Michael Torrie
Assistant CSR, System Administrator
Chemistry and Biochemistry Department
Brigham Young University
Provo, UT 84602

More information about the PLUG mailing list