Nasqueron doesn't currently have a unified LDAP server.
Goals
- Store data about users, both humans and machine accounts
- Authenticate users
Specific needs
- What information do we include in the LDAP?
- Do we allow each application to request LDAP fields?
- Espace Win experience showed success sharing between phpBB and our IRC eggdrop fields like interests or location
- In another hand, most applications tend to use different format to store the same information, and maintain patch is cumbersome
- How do we interact with projects we collaborate with?
Schema design
The Active Directory and Novell eDirectory schemas give a good idea how to store successfully accounts information.
Other well known schemas are:
- RFC 2256 - X.500(96) User Schema (legacy, superseded by RFC 4519)
- RFC 2798 - inetOrgPerson LDAP Object Class
- RFC 4519 - Schema for User Applications (replacing RFC 2256)
- RFC 4524 - COSINE LDAP/X.500 Schema
- eduPerson
- SUN schema
We can design a schema from scratch or pick one of those, and extend it.
OpenLDAP supports out of the box some of those.
Pitfalls
- Applications can reject certificates using SHA-1 signatures, we should ensure X.509 certificates don't use them.