Nasqueron doesn't currently have a unified LDAP server.

Goals

• Store data about users, both humans and machine accounts
• Authenticate users

Specific needs

• What information do we include in the LDAP?
  • Do we allow each application to request LDAP fields?
  • Espace Win experience showed success sharing between phpBB and our IRC eggdrop fields like interests or location
  • In another hand, most applications tend to use different format to store the same information, and maintain patch is cumbersome
• How do we interact with projects we collaborate with?

Schema design

The Active Directory and Novell eDirectory schemas give a good idea how to store successfully accounts information.

Other well known schemas are:

• RFC 2256 - X.500(96) User Schema (legacy, superseded by RFC 4519)
• RFC 2798 - inetOrgPerson LDAP Object Class
• RFC 4519 - Schema for User Applications (replacing RFC 2256)
• RFC 4524 - COSINE LDAP/X.500 Schema
• eduPerson
• SUN schema

We can design a schema from scratch or pick one of those, and extend it.

OpenLDAP supports out of the box some of those.

Pitfalls

• Applications can reject certificates using SHA-1 signatures, we should ensure X.509 certificates don't use them.