LDAP 101: It’s A Database, Stupid

We’re doing an LDAP-for-authentication rollout at my day job – the sort of thing there are lots of docs about already. One of the things we’ve run into is the lack of a single, complete document describing the whole tool ecosystem, from what LDAP is and how it works all the way through to how to use it to authenticate users.

So I thought I’d write one.

This post will cover some introductory knowledge about LDAP. Subsequent posts will introduce some LDAP tools, go into more detail on the data stored in a directory and on the implementation of an authentication system.

“LDAP” is an extensive subject, and I’m not going to try to cover every aspect of it. (For that, see the links at the bottom of this post.) I’ll be demonstrating simple bind authentication, without SASL or Kerberos/GSSAPI, and I won’t be going into too much detail outside of users and groups. In particular, I won’t be covering too much history, and I won’t be covering ActiveDirectory (the other widely-deployed authentication and directory service built on LDAP).

Read more »

Some Notes on Replicating OpenDirectory to OpenLDAP

I did some work on a contract recently that involved creating an OpenLDAP replica of an OpenDirectory database. Here’s what I learned:

Read more »

Shameless Self-Promotion: LDAP Outside the Enterprise

Last week I set up LDAP as a central authentication/identity store for the Toronto Hacklab. I thought I’d share my notes. It went well enough that I’m going to repeat the process with the Grimoire: right now each part of the site (WordPress, WebDAV for various repositories, JIRA, and Hudson) handles its own authentication, and it’s gotten unmanageable.

Yes, there is only one user. Yes, I still think it’s worthwhile.