Send Bristol mailing list submissions to
bristol@mailman.lug.org.uk
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.lug.org.uk/mailman/listinfo/bristol
or, via email, send a message with subject or body 'help' to
bristol-request@mailman.lug.org.uk
You can reach the person managing the list at
bristol-owner@mailman.lug.org.uk
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bristol digest..."
Today's Topics:
1. Re: LDAP (Martin Moore)
2. Re: LDAP (Gavin Henry)
3. Re: LDAP (Martin Moore)
4. Re: LDAP (Gavin Henry)
5. Re: LDAP (Gavin Henry)
----------------------------------------------------------------------
Message: 1
Date: Sat, 17 Jan 2015 18:51:40 -0000
From: "Martin Moore" <martinm@it-helps.co.uk>
To: "'Bristol and Bath Linux User Group'" <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] LDAP
Message-ID:
<!&!AAAAAAAAAAAYAAAAAAAAAFLxZtQqo65Oo+1jhlUB9DvCgAAAEAAAAJVuUXlGpDRGvkx98r7ve/4BAAAAAA==@it-helps.co.uk>
Content-Type: text/plain; charset="us-ascii"
>Single SignOn across multiple apps isn't the same as the same username and
password to be used on different apps. Does your client understand that?
The client has apparently 'suggested' LDAP (new job for me, been there 2
weeks), I'm making sure it'll do what is needed before I approve it.
The idea is that a new user creates an account once that is used on both
systems, and any pwd etc. change is propagated.
>What do these domains look like?
Client1.myco.com
Client2.myco.com
Client3.myco.com
>You can serve as many suffixes as you like, but each needs it's own config
etc. How many do you see serving? It may be better to design your DIT to
suit this application.
Not sure - not more than 10, maybe just the one on LDAP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mailman.lug.org.uk/mailman/private/bristol/attachments/20150117/22a35cff/attachment-0001.html>
------------------------------
Message: 2
Date: Sat, 17 Jan 2015 19:22:41 +0000
From: Gavin Henry <ghenry@suretecsystems.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] LDAP
Message-ID:
<CAPcb_GLJia2kB8GYgW-MTs=+As=yWsmj2HDWRYRAxgwgo29m8Q@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On 17 January 2015 at 18:51, Martin Moore <martinm@it-helps.co.uk> wrote:
>>Single SignOn across multiple apps isn't the same as the same username and
>> password to be used on different apps. Does your client understand that?
>
> The client has apparently 'suggested' LDAP (new job for me, been there 2
> weeks), I'm making sure it'll do what is needed before I approve it.
>
Check if they mean Single SignOn then. That's signon once to one app
and be authenticated and/or authorised to access/use the other apps.
If just same user/pass and prompted for them by each app, then fine.
That doesn't mean LDAP can't still to the auth/authz part just that
something like http://shibboleth.net/ could be used to share the "I've
already be authorized by another app" stuff.
>
> The idea is that a new user creates an account once that is used on both
> systems, and any pwd etc. change is propagated.
OK. Well a directory server would hold the password, so any app that
changes it only changes it there. Unless you are meaning that all the
systems have their own local password store?
>>What do these domains look like?
>
> Client1.myco.com
>
> Client2.myco.com
>
> Client3.myco.com
Ok, these could translate to:
ou=users,ou=client1,dc=myco,dc=com
ou=groups,ou=client1,dc=myco,dc=com
etc. with regex ACL's to work on the ou=client1/2 part.
>
>>You can serve as many suffixes as you like, but each needs it's own config
>> etc. How many do you see serving? It may be better to design your DIT to
>> suit this application.
>
> Not sure - not more than 10, maybe just the one on LDAP.
See above. Just one suffix of dc=myco,dc=com
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretec.co.uk
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman,
Inverurie,
Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk
Did you see our API? http://www.surevoip.co.uk/api
------------------------------
Message: 3
Date: Sat, 17 Jan 2015 20:42:16 -0000
From: "Martin Moore" <martinm@it-helps.co.uk>
To: "'Bristol and Bath Linux User Group'" <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] LDAP
Message-ID:
<!&!AAAAAAAAAAAYAAAAAAAAAFLxZtQqo65Oo+1jhlUB9DvCgAAAEAAAAO6prMr3FoxOhkAyt8WaU/YBAAAAAA==@it-helps.co.uk>
Content-Type: text/plain; charset="us-ascii"
Thanks - SingleSignon looks most likely from the very brief comment I've
had, but it's useful to know the difference as it could be either method!
>OK. Well a directory server would hold the password, so any app that
changes it only changes it there. Unless you are meaning that all the
systems have their own local password store?
Whatever works - I've never used LDAP so not quite sure how it works yet. I
was under the impression that it replicated user/access data - are you
saying it is retrieved from a master server (the directory server?) on
demand?
-----Original Message-----
From: bristol-bounces@mailman.lug.org.uk
[mailto:bristol-bounces@mailman.lug.org.uk] On Behalf Of Gavin Henry
Sent: 17 January 2015 19:23
To: Bristol and Bath Linux User Group
Subject: Re: [bristol] LDAP
On 17 January 2015 at 18:51, Martin Moore <martinm@it-helps.co.uk> wrote:
>>Single SignOn across multiple apps isn't the same as the same username
>>and password to be used on different apps. Does your client understand
that?
>
> The client has apparently 'suggested' LDAP (new job for me, been there
> 2 weeks), I'm making sure it'll do what is needed before I approve it.
>
Check if they mean Single SignOn then. That's signon once to one app and be
authenticated and/or authorised to access/use the other apps.
If just same user/pass and prompted for them by each app, then fine.
That doesn't mean LDAP can't still to the auth/authz part just that
something like http://shibboleth.net/ could be used to share the "I've
already be authorized by another app" stuff.
>
> The idea is that a new user creates an account once that is used on
> both systems, and any pwd etc. change is propagated.
OK. Well a directory server would hold the password, so any app that changes
it only changes it there. Unless you are meaning that all the systems have
their own local password store?
>>What do these domains look like?
>
> Client1.myco.com
>
> Client2.myco.com
>
> Client3.myco.com
Ok, these could translate to:
ou=users,ou=client1,dc=myco,dc=com
ou=groups,ou=client1,dc=myco,dc=com
etc. with regex ACL's to work on the ou=client1/2 part.
>
>>You can serve as many suffixes as you like, but each needs it's own
>>config etc. How many do you see serving? It may be better to design
>>your DIT to suit this application.
>
> Not sure - not more than 10, maybe just the one on LDAP.
See above. Just one suffix of dc=myco,dc=com
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretec.co.uk
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman,
Inverurie, Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk
Did you see our API? http://www.surevoip.co.uk/api
_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2015.0.5645 / Virus Database: 4260/8931 - Release Date: 01/14/15
------------------------------
Message: 4
Date: Sat, 17 Jan 2015 21:10:08 +0000
From: Gavin Henry <ghenry@suretecsystems.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] LDAP
Message-ID:
<CAPcb_GLfoJoe84p+89GrHtOHE6MvH4c_PyyY6A92n7ADqP9DNQ@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On 17 January 2015 at 20:42, Martin Moore <martinm@it-helps.co.uk> wrote:
> Thanks - SingleSignon looks most likely from the very brief comment I've
> had, but it's useful to know the difference as it could be either method!
>
>>OK. Well a directory server would hold the password, so any app that
> changes it only changes it there. Unless you are meaning that all the
> systems have their own local password store?
>
> Whatever works - I've never used LDAP so not quite sure how it works yet. I
> was under the impression that it replicated user/access data - are you
> saying it is retrieved from a master server (the directory server?) on
> demand?
>
>
> -----Original Message-----
> From: bristol-bounces@mailman.lug.org.uk
> [mailto:bristol-bounces@mailman.lug.org.uk] On Behalf Of Gavin Henry
> Sent: 17 January 2015 19:23
> To: Bristol and Bath Linux User Group
> Subject: Re: [bristol] LDAP
>
> On 17 January 2015 at 18:51, Martin Moore <martinm@it-helps.co.uk> wrote:
>>>Single SignOn across multiple apps isn't the same as the same username
>>>and password to be used on different apps. Does your client understand
> that?
>>
>> The client has apparently 'suggested' LDAP (new job for me, been there
>> 2 weeks), I'm making sure it'll do what is needed before I approve it.
>>
>
> Check if they mean Single SignOn then. That's signon once to one app and be
> authenticated and/or authorised to access/use the other apps.
>
> If just same user/pass and prompted for them by each app, then fine.
> That doesn't mean LDAP can't still to the auth/authz part just that
> something like http://shibboleth.net/ could be used to share the "I've
> already be authorized by another app" stuff.
>
>>
>> The idea is that a new user creates an account once that is used on
>> both systems, and any pwd etc. change is propagated.
>
> OK. Well a directory server would hold the password, so any app that changes
> it only changes it there. Unless you are meaning that all the systems have
> their own local password store?
>
>>>What do these domains look like?
>>
>> Client1.myco.com
>>
>> Client2.myco.com
>>
>> Client3.myco.com
>
> Ok, these could translate to:
>
> ou=users,ou=client1,dc=myco,dc=com
> ou=groups,ou=client1,dc=myco,dc=com
>
> etc. with regex ACL's to work on the ou=client1/2 part.
>
>>
>>>You can serve as many suffixes as you like, but each needs it's own
>>>config etc. How many do you see serving? It may be better to design
>>>your DIT to suit this application.
>>
>> Not sure - not more than 10, maybe just the one on LDAP.
>
> See above. Just one suffix of dc=myco,dc=com
>
>>
>> _______________________________________________
>> Bristol mailing list
>> Bristol@mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/bristol
>
>
>
> --
> Kind Regards,
>
> Gavin Henry.
> Managing Director.
>
> T +44 (0) 1224 279484
> M +44 (0) 7930 323266
> F +44 (0) 1224 824887
> E ghenry@suretec.co.uk
>
> Open Source. Open Solutions(tm).
>
> http://www.suretecsystems.com/
>
> Suretec Systems is a limited company registered in Scotland. Registered
> number: SC258005. Registered office: 24 Cormack Park, Rothienorman,
> Inverurie, Aberdeenshire, AB51 8GL.
>
> Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
>
> Do you know we have our own VoIP provider called SureVoIP? See
> http://www.surevoip.co.uk
>
> Did you see our API? http://www.surevoip.co.uk/api
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
> -----
> No virus found in this message.
> Checked by AVG - www.avg.com
> Version: 2015.0.5645 / Virus Database: 4260/8931 - Release Date: 01/14/15
>
>
> _______________________________________________
> Bristol mailing list
> Bristol@mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bristol
--
Kind Regards,
Gavin Henry.
Managing Director.
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretec.co.uk
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered
number: SC258005. Registered office: 24 Cormack Park, Rothienorman,
Inverurie,
Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See
http://www.surevoip.co.uk
Did you see our API? http://www.surevoip.co.uk/api
------------------------------
Message: 5
Date: Sat, 17 Jan 2015 21:54:01 +0000
From: Gavin Henry <ghenry@suretecsystems.com>
To: Bristol and Bath Linux User Group <bristol@mailman.lug.org.uk>
Subject: Re: [bristol] LDAP
Message-ID:
<CAPcb_GK2Y+EymBULzBhvPv_HEfYRLaAVRAFd8jH+NC__6bsiHA@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
>>>OK. Well a directory server would hold the password, so any app that
>> changes it only changes it there. Unless you are meaning that all the
>> systems have their own local password store?
>>
>> Whatever works - I've never used LDAP so not quite sure how it works yet. I
>> was under the impression that it replicated user/access data - are you
>> saying it is retrieved from a master server (the directory server?) on
>> demand?
To be correct, LDAP is the protocol. You'd actually be using a
Directory Server. This server is accessed using the LDAP protocol in
the same way a Web Server could accessed over HTTP. Calling it LDAP on
the openldap mailing will get you shouted at :-)
The Directory server holds entries that contain passwords. There isn't
such a thing as a user, merely an entity that you can bind to the
directory with. That entity will have a userPassword attribute in it.
--
Kind Regards,
Gavin Henry.
------------------------------
_______________________________________________
Bristol mailing list
Bristol@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/bristol
End of Bristol Digest, Vol 585, Issue 10
****************************************
Tidak ada komentar:
Posting Komentar