is LDAP required?
why wouldn't I want to just cache permissions in memory from a database call?
update- just found this from a search:
I">http://www.zimbra.com/forums/showthread.php?t=409
I assume the authentication layer is 'pluggable' in the next beta?
maybe I just have a bad taste left over from past exposure to LDAP repositories, they seemed to complicate our application model when used about 2-3 years ago - of course we were building one of those 'enterprise' java apps, so everything was complicated...several 'enterprise architects' later (avg half life of about 3 months), well you know the story
since I'm editing this post now that I found additional info from a search of the forums - and I'm done ranting- my primary questions are:
Why would I want to use LDAP? (assuming no legacy ldap user store to worry about)...most seem to already have a database somewhere in their environment but few (?) have ldap - am I missing some justification?
thanks.
LDAP required?
-
14319KevinH
- Ambassador
- Posts: 4558
- Joined: Fri Sep 12, 2014 9:52 pm
LDAP required?
LDAP is designed for read heavy structured data. This is what we put in there. Most enterprises use LDAP to manage user data, so while you may not most do. Of course the source code is available so if you'd like to make changes for your environment then the code it there for that.
The next beta won't have the pluggable auth framework but again it's close enough now that with a little coding you can make it so.
The next beta won't have the pluggable auth framework but again it's close enough now that with a little coding you can make it so.
LDAP required?
Thanks Kevin.
Are there any benchmarks that actually quantify the performance benefit of LDAP? Internal from your group, or external on the web. I googled, but did not find anything compelling.
I understand the need for trying to conform to what most enterprises already have deployed, that was our reason for using LDAP also (when I worked in software dev). But now, I am just part of a small academic group looking at email solutions - and LDAP seems like one more thing to worry about. We already have many databases that we admin.
In my past life, I just recalled that it was one more system for admins to learn (if it was not already installed at an enterprise) - and indexing the user table in a RDBMS with an in memory cache at the app layer seemed to allow a simpler install and was more performant (for us). We were using iPlanet at the time - and had to monkey with getting the LDAP trees into memory anyway, in the end (because of performance problems).
Thanks again for clarifying this matter. I'm far from an expert in this area, and given all of the great work that your team has done, I assumed there was likely a good reason that you were using LDAP.
Are there any benchmarks that actually quantify the performance benefit of LDAP? Internal from your group, or external on the web. I googled, but did not find anything compelling.
I understand the need for trying to conform to what most enterprises already have deployed, that was our reason for using LDAP also (when I worked in software dev). But now, I am just part of a small academic group looking at email solutions - and LDAP seems like one more thing to worry about. We already have many databases that we admin.
In my past life, I just recalled that it was one more system for admins to learn (if it was not already installed at an enterprise) - and indexing the user table in a RDBMS with an in memory cache at the app layer seemed to allow a simpler install and was more performant (for us). We were using iPlanet at the time - and had to monkey with getting the LDAP trees into memory anyway, in the end (because of performance problems).
Thanks again for clarifying this matter. I'm far from an expert in this area, and given all of the great work that your team has done, I assumed there was likely a good reason that you were using LDAP.
LDAP required?
LDAP PROVIDES A NUMBER OF BENEFITS:
CENTRALIZED CONFIGURATION, GOOD WHEN LOTS OF SERVERS NEED ACCESS TO THE SAME DATA
WELL INTEGRATED WITH MTAS (FOR MAIL ROUTING)
CAN BE USED FOR AUTHENTICATION
CAN BE USED FOR A GLOBAL ADDRESS LIST/CORP DIRECTORY, AND IS SUPPORTED BY MUAS (THUNDERBIRD, OUTLOOK, ETC)
YOU CAN REPLCIATE THE DATA, FOR HIGH AVAILABILITY
WE'VE DONE OUR BEST TO TRY AND HIDE SOME OF THE LDAP MANAGEMENT ISSUES, BUT IT IS STILL THERE.
INTERNALLY THE SYSTEM WAS DESIGNED AROUND SOME JAVA INTERFACES/ABSTRACT CLASSES (COM.ZIMBRA.CS.ACCOUNT.*, PROVISIONING.JAVA IN PARTICULAR), WITH OUR IMPLEMENTATION VIA LDAP (COM.ZIMBRA.CS.ACCOUNT.LDAP.*).
IT IS POSSIBLE THAT YOU COULLD ACTUALLY BACK ALL THE ACCOUNTS, CONFIG, VIA A DATABASE LIKE MYSQL BY WRITING A MYSQL VERSION OF THOSE INTERFACES. THIS MIGHT MAKE SENSE FOR A SMALL/SINGLE-NODE INSTALL.
THE REMAINING ISSUE WOULD BE POSTFIX MAIL ROUTING, BUT YOU COULD WRITE SOME PERL/JAVA/RUBY THAT PULLED THE DATA OUT OF THE SERVER AND PUT IT INTO DBM MAPS THAT POSTFIX LOOKED AT.
IDEALLY SOMEONE IN THE COMMUNITY WOULD DO THIS WORK AND CONTRIBUTE IT BACK
ROLAND
CENTRALIZED CONFIGURATION, GOOD WHEN LOTS OF SERVERS NEED ACCESS TO THE SAME DATA
WELL INTEGRATED WITH MTAS (FOR MAIL ROUTING)
CAN BE USED FOR AUTHENTICATION
CAN BE USED FOR A GLOBAL ADDRESS LIST/CORP DIRECTORY, AND IS SUPPORTED BY MUAS (THUNDERBIRD, OUTLOOK, ETC)
YOU CAN REPLCIATE THE DATA, FOR HIGH AVAILABILITY
WE'VE DONE OUR BEST TO TRY AND HIDE SOME OF THE LDAP MANAGEMENT ISSUES, BUT IT IS STILL THERE.
INTERNALLY THE SYSTEM WAS DESIGNED AROUND SOME JAVA INTERFACES/ABSTRACT CLASSES (COM.ZIMBRA.CS.ACCOUNT.*, PROVISIONING.JAVA IN PARTICULAR), WITH OUR IMPLEMENTATION VIA LDAP (COM.ZIMBRA.CS.ACCOUNT.LDAP.*).
IT IS POSSIBLE THAT YOU COULLD ACTUALLY BACK ALL THE ACCOUNTS, CONFIG, VIA A DATABASE LIKE MYSQL BY WRITING A MYSQL VERSION OF THOSE INTERFACES. THIS MIGHT MAKE SENSE FOR A SMALL/SINGLE-NODE INSTALL.
THE REMAINING ISSUE WOULD BE POSTFIX MAIL ROUTING, BUT YOU COULD WRITE SOME PERL/JAVA/RUBY THAT PULLED THE DATA OUT OF THE SERVER AND PUT IT INTO DBM MAPS THAT POSTFIX LOOKED AT.
IDEALLY SOMEONE IN THE COMMUNITY WOULD DO THIS WORK AND CONTRIBUTE IT BACK
ROLAND
-
bmiddleton
- Posts: 5
- Joined: Fri Sep 12, 2014 9:58 pm
LDAP required?
I had the same feelings about using ldap until I ran across a little known FREE app called Penrose, it's a virtual LDAP server that maps to fields in a backend database. It's Open Source and based on the ApacheDB, 100% java so it works on multiple platforms, and very easy on the cpu. They also provide a GUI based application for mapping the feilds in your database to the LDAP feilds. It also includes a configurable cache so it doesn't have to hit the db as much.
Penrose - Virtual Directory Server
For">http://penrose.safehaus.org/
For those of you with content management systems like Mambo or DotNetNuke....
I'm using Penrose to allow users who signup to our portal and after we approve their access to have an account in Zimbra. So their account is really in the portal user database. They can change their password and profile in the portal as much as they want and Zimbra stays updated. If we remove there account for whatever reason they can't access Zimbra anymore. We also provide GAL via LDAP based on the information in the database.
The only issue I'm still working on is single logon, so when they log into the portal the are automatically logged into Zimbra. Maybe one of the Zimbra guys can help me with that one....?
hope this helps....
Penrose - Virtual Directory Server
For">http://penrose.safehaus.org/
For those of you with content management systems like Mambo or DotNetNuke....
I'm using Penrose to allow users who signup to our portal and after we approve their access to have an account in Zimbra. So their account is really in the portal user database. They can change their password and profile in the portal as much as they want and Zimbra stays updated. If we remove there account for whatever reason they can't access Zimbra anymore. We also provide GAL via LDAP based on the information in the database.
The only issue I'm still working on is single logon, so when they log into the portal the are automatically logged into Zimbra. Maybe one of the Zimbra guys can help me with that one....?
hope this helps....
-
14319KevinH
- Ambassador
- Posts: 4558
- Joined: Fri Sep 12, 2014 9:52 pm
LDAP required?
[quote user="bmiddleton"]The only issue I'm still working on is single logon, so when they log into the portal the are automatically logged into Zimbra. Maybe one of the Zimbra guys can help me with that one....?[/QUOTE]
Single sign on is easy. You just need to use our SOAP API (see ZimbraServer/docs/soap.txt in the source for full details) to get an auth token from the server using the username/password. Then set the auth token a cookie and finally redirect them to Zimbra.
A sample SOAP request is attached.
The">http://www.w3.org/2003/05/soap-envelope">The Java code to set the cookie and redirect would be:
Cookie authCookie = new Cookie("ZM_AUTH_TOKEN", authToken);
authCookie.setPath("/");
res.addCookie(authCookie);
res.sendRedirect(http://yourzimbrahost.example.com/");
authrequest.txt
Single sign on is easy. You just need to use our SOAP API (see ZimbraServer/docs/soap.txt in the source for full details) to get an auth token from the server using the username/password. Then set the auth token a cookie and finally redirect them to Zimbra.
A sample SOAP request is attached.
The">http://www.w3.org/2003/05/soap-envelope">The Java code to set the cookie and redirect would be:
Cookie authCookie = new Cookie("ZM_AUTH_TOKEN", authToken);
authCookie.setPath("/");
res.addCookie(authCookie);
res.sendRedirect(http://yourzimbrahost.example.com/");
authrequest.txt
LDAP required?
thanks for the great help, I'm amazed at how responsive the Zimbra team is
penrose should do the trick
we actually also have a small wiki/knowledgebase app for sharing docs, semi structured data, etc. - it provides a pluggable auth layer (it can use an LDAP store, etc.), and we already have a RBAC model in the db, but Penrose looks to be the simplest route to exposing this model to Zimbra - no migrations, and everything is still in the db
penrose should do the trick
we actually also have a small wiki/knowledgebase app for sharing docs, semi structured data, etc. - it provides a pluggable auth layer (it can use an LDAP store, etc.), and we already have a RBAC model in the db, but Penrose looks to be the simplest route to exposing this model to Zimbra - no migrations, and everything is still in the db