undefined | Better HN

0 pointsSEJeff11y ago0 comments

Not entirely sure of your question. I'd think exposing your ldap service to the open internet is asking for very very bad things to happen.

I'd expect a service like this would use Amazon VPC, a secure VPN to access it, or something like that. What kind of data do you envision being stored in this directory, user credentials, or other things?

At $last_job, I was on a mission to put everything in LDAP. There is a custom OpenLDAP schema that the gnome.org sysadmin team (which I am an alumni member of) which allowed users to put in their ssh pub key via a webui. Hosts then run a cronjob every XX time period that put those ssh keys down (in a root owned directory/file so users can't change them), and was pretty slick. I also put DNS zone info and sudoers information into LDAP, as I already had a badass distributed datastore, ldap :)

That being said, can you come up with a real use case where your service makes sense? Active Directory is hard to compete against, it is super cheap and a pretty solid kerberized ldap for SMBs.

0 comments

traxtech11y ago

Classic use case: org want facilitate+centralize users management on owncloud+apache webdav+other oss app on external server (internet). I only saw AD used in intranets, if orgs would expose it on external servers (with/without VPN), then I'd better find an another idea.

SEJeffOP11y ago

Capitalism has a way of weeding out bad ideas. I say go for it and see if there is interest.

FYI for that use case, most companies (mine included) use SAML (http://en.wikipedia.org/wiki/Security_Assertion_Markup_Langu...)

In specific, we use SAML to have our internal AAA LDAP infrastructure validate logins for a few cloud services such as workday and attask.

Might be worth looking at saas (saml as a service :D) as well.

Edit: This company does SSO with SAML 100% and they support pretty much all of the big apps you'd expect. http://www.onelogin.com/partners/partner-up/

traxtech11y ago

I looked at SAML, it's a possible addition to the service. It may be touchy to integrate (opensaml-java), but definitely doable.

j / k navigate · click thread line to collapse

0 pointsSEJeff11y ago0 comments

Not entirely sure of your question. I'd think exposing your ldap service to the open internet is asking for very very bad things to happen.

That being said, can you come up with a real use case where your service makes sense? Active Directory is hard to compete against, it is super cheap and a pretty solid kerberized ldap for SMBs.

0 comments

traxtech11y ago

SEJeffOP11y ago

Capitalism has a way of weeding out bad ideas. I say go for it and see if there is interest.

FYI for that use case, most companies (mine included) use SAML (http://en.wikipedia.org/wiki/Security_Assertion_Markup_Langu...)

In specific, we use SAML to have our internal AAA LDAP infrastructure validate logins for a few cloud services such as workday and attask.

Might be worth looking at saas (saml as a service :D) as well.

Edit: This company does SSO with SAML 100% and they support pretty much all of the big apps you'd expect. http://www.onelogin.com/partners/partner-up/

traxtech11y ago

I looked at SAML, it's a possible addition to the service. It may be touchy to integrate (opensaml-java), but definitely doable.

j / k navigate · click thread line to collapse