Ask HN: How do you deal with users on your machines?

walterbell · on Sept 10, 2014

openldap, pam_ldap, etc?

donw · on Sept 10, 2014

Have set these up a number of times, but ran into some... fun problems:

1. It's a central point of control. If I use a cloud-hosted LDAP service and that gets 0wned by l33t haxx0rz, then I am in the soup.

2. LDAP can't add/remove users to PostgreSQL et al.

3. Even with NSCD, network connection hiccups can and will lock you out of your machines, usually exactly at the time when you really need to be on them.

4. LDAP flailover is a black art. I ended up having my entire authentication infrastructure wedge itself shut during a "chaos monkey" testing run, where the master went down and came back up, and then locked itself into eternal war with its replacement.

walterbell · on Sept 11, 2014

1. What's the alternative, replication from an offline directory server? LDAP server could be in a VPN, http://stackoverflow.com/questions/22217567/create-a-hybrid-...

2. Would need custom syncrepl client, e.g. http://www.python-ldap.org/doc/html/ldap-syncrepl.html

3. Just did some reading, apparently SSSD is the current best practice, it can work with different backends, including AD & LDAP, http://onemoretech.wordpress.com/2014/02/23/sssd-for-ldap-au... & http://onemoretech.wordpress.com/2014/02/23/sssd-for-ldap-au... & https://wiki.ubuntu.com/Enterprise/Authentication/sssd

4. Was that with OpenLDAP? Perhaps MS AD (works with sssd) gets more high-availabilty testing in the real world?

donw · on Sept 11, 2014

Very informative set of links, I'll dig in -- thanks!.