Thursday, December 20, 2012

Infrastructure Readied For LDAP

Sometimes there are circumstances where we know that certain technologies will make us more effective, but we don't have people on staff to implement.  This was the case with LDAP publishing of user accounts.  Clearly it's wonderful, but no one is on staff to properly maintain it.  It's easy to fear the situation where even if one person gets it working, if they are out of the office you have the potential for longer down times if something breaks or fails.  Do you really want System Administrators punching in phone numbers and making updates?  We reached the point where it's needed, we have too many external applications that need shared information.  How best to deploy?

After consideration and discussion we decided to create a screen in our support portal that allows all IT staff to make modifications to basic information and it creates a LDIF file which is housed on the GNOME server.  While we perfect our work flow, these files will be uploaded into the LDAP server by our admins, with the goal of automating that once it's been proven.  This approach is clean to me because we have all of the "source" files out of LDAP.  If something gets damaged, it's easily repaired and recovered.  So I wrote a little vcf2ldif utility that sucked out all of the data out of Evolution/Groupwise and created LDIF files. 


The support portal software already had a "user detail" screen, so the fields that we needed were added to another tab and are easily editable.  When the save button is pressed, it generates a LDIF file with all of the exact formatting that we want and fields locked down from free form text entry when appropriate.  Very easy to use, and integrated into the software used mostly heavily by out support staff.  I saw that LDAP supports a JPG image, so our security guy downloaded all of our photos from our badges and I added a place in the UI to add them.  We can now see the pictures of all employees, which will assist us with identity confirmation.



Pictures were also thumbnailed automatically when doing a user name or department search:



After trial and error and a few runs of the vcf2ldif utility, the files were compliant in all fields.  So I did a cat *.ldif > merged.ldif and then ldapadd'd them all into the software with success.  It's a very exciting step, all done easily with open source tools.


And the data was verified with a LDAP browser, and appears as expected:


My current area of focus is now accessing this data from our first new project: Zimbra.  Zimbra supports auto-provisioning, whereby it verifies if you have a mail: LDAP entry and if so, it verifies your password.  If this is the first time you have logged in, all of the phone numbers are downloaded and the account is automatically created.  This will save our support staff a lot of time.

LDAP will also be used for our Wifi, Alfresco and our web proxy appliance in the coming months. 

There are always many ways to accomplish goals, but I think we have found a good balance with our staff size, budget and existing skills.  I'm looking forward to seeing this all deployed.

8 comments:

Cliff said...

*obligatory complaint about UI design*
(kidding! :-)

Dave Richards said...

@cliff: The UI Design Specialist position is unfunded at this time :) Widget layout will get better with time and when I'm sure I don't need more of them.

Aaron C. de Bruyn said...

Are you just using LDAP for address books, or is it also replacing an authentication system. If so, I'm curious what you use to keep username and passwords in sync around your network. Active Directory perhaps?

Anonymous said...

You might want to look at FreeIPA to manage this.

http://freeipa.org/page/Main_Page

natxete said...

+1 for IPA. Just do not use fedora for it unless you have fun reinstalling your infrastructure every year ;-)

Here you have all the info: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html

This info is obviously valid for redhat clones.

Cliff said...

@Dave, I was attempting to lampoon the people who have so little to do that they criticize a random guy on the Internet while he gets shit done. :-)

21st Century Software Solutions said...

Introduction
http://www.21cssindia.com/courses/ldap-online-training-103.html
LDAP - Overview
A brief History of LDAP - LDAP Overview - LDAP vs. Database - LDAP Usage Summary
LDAP Data (Object) Model - Object Tree Structure - Attributes - Object Classes
Employees to learn at their own pace and maintain control of learning “where, when and how” with boundless access 24/7by 21st Century Software Solutions. contact@21cssindia.com ---- Call Us +919000444287

21cssIndia said...

Open LDAP Performance
http://www.21cssindia.com/courses/ldap-online-training-103.html
LDAP Tools - Open LDAP Tools - ldapadd - add LDIF entries to an LDAP directory - ldapauth - add LDIF entries to an LDAP directory - ldapdelete - delete LDAP entries - ldapmodify - modify existing LDAP entries - ldapmodrdn - modify an LDAP entry's DN - ldappasswd - modify an entry's password - ldapsearch - search LDAP entries - ldapwhoami - perform an LDAP Who Am I operation of a server - slapacl - verify access to attributes by inspecting the configuration of a DIT - slapadd - add LDAP entries to a database - STOP SLAPD FIRST - slapauth - verify SASL data against a DIT - slapcat - export an LDIF from an LDAP database - STOP SLAPD FIRST - slapdn - verify a DN against a DIT configuration - Slapindex - re-index an LDAP database - STOP SLAPD FIRST - Slappasswd - generate password - Slaptest - verify a slapd.conf file or a cn=config directory (slapd.d) - LDAP Browsers - LDAP Browser/Editor - some notes on usage - Apache DS Tools - Apache DS Tools - tools and Utilities - LDAP Security - Open LDAP Security Overview - Open LDAP TLS/SSL Configured - Employees to learn at their own pace and maintain control of learning “where, when and how” with boundless access 24/7by 21st Century Software Solutions. contact@21cssindia.com