[Lilug] Multi-Site Suggestions

[Chris Knadle]

On Monday 09 February 2009, Michael Lee wrote:
> All the VPN's stay up (ahem) 24x7.  But I figure I'm going to have
> to have a server at each locale and perform some form of
> replication of ldap stores and other information stores.
> I was playing with LDAP a while ago and I have a quick question. 
> Will users that authenticate against the LDAP tree be able to
> change their own information.

This can be done, but unfortunately I don't know _exactly_ how that 
part of it works (I make an educated guess further below).  The Linux 
boxes I use at SUNY New Paltz where I am currently attending 
authenticate over LDAP (they run CentOS 5) and users are able to 
change their own login password, so there is a way to allow doing 
this.  I have not yet personally used LDAP for authentication 
purposes (although I believe subsidaries of the NDS tree we deployed 
did) -- at the time we mainly used the LDAP tree for email routing.  
Authentication was... well, let's just say it wasn't a universal 
solution.

> Last time I looked at it the tree was only modifiable by the
> administrator.  From what you said Chris, it leads me to think
> that Multi-Master allows for "site" administrators to manage users.

Multi-master allows for having a master box on-site that doesn't 
require a remote login.

Without multi-master, adding or editing user entries for LDAP on a 
remote box via the command line is possible but is generally not as 
straightforward or as simple as using a GUI, and some administrators 
are not terribly comfortable with doing remote GUI login.  If you 
have a number of administrators in your organization, I bet you have 
a very short list of the administrators that are comfortable with 
doing X over SSH, or the other alternatives like VNC, FreeNX, etc.  
It's possible to do X over SSH with Windows, too, using putty to do 
the X forwarding and then using an X server for Windows -- but it's 
not exactly something you'd want to have to do if you had to do 
something quick.

> So again we get to the issue of end-users being able to modify
> their own information.  Seems like it should be possible, and if
> so, where are rights established in the config?

I'm assuming the way to do this would be for each user to "own" their 
own LDAP user object such that they have the ability to modify it 
using their own username/password, but not have permission to modify 
anything in the tree above their own user entry.  Subsidiary 
administrators can be given access to organization-level containers 
so that they can modify anything within that branch, including the 
user entires.  At least that's the method I'm familar with.

> Also, I'll only mention this because It seems like it is part of
> the subject.  I was looking as SLES which is SUSE Linux Enterprise
> Server.  The Novell rep was talking to me about the Novell
> Directory and Xen ( or is it Zen ... I know one is for system
> management and the other is for Virtual Machines ).  They also
> charge by seat, but open up all of their software to support those
> seats.  So a Multi-Server Multi-Site Directory Service does not
> break the bank.

Read the licensing agreement and costs carefully.  Last I used it, 
licensing for use with either authentication or printing services 
required a seat, and it wasn't 100% clear if a "seat" was per-person, 
per-computer, or something in-between.  I don't remember the exact 
per-seat price, and we were considering several LDAP server 
possibilities at the time, but I remember some being $15/seat and 
others being as high as $35/seat.  These days there's more 
competition so it's probably cheaper and there are free alternatives 
you can use if the commercial ones are too costly.

   -- Chris

-- 

Chris Knadle
Chris.Knadle at coredump.us