[H-SASIG] Online Payments / Membership DB people -- what role for LDAP? (was Re: [SysAdmin] #3: Trac authentication needs to be simple, easy, and automated)

Russell Stuart russell-humbug at stuart.id.au
Wed May 19 00:06:52 EDT 2010 

On Tue, 2010-05-18 at 21:32 +1000, Brad Marshall wrote:
> What are you trying to gain though?  I'm not saying we shouldn't do
> it, but if all we're doing is replacing a htpassword file with user
> accounts in LDAP, I'm wondering if the complexity is worth it.  Its
> when you have multiple things pointing to the LDAP tree you get the
> value.

LDAP's killer features are it does replication well (out of the box), it
comes with many predefined schema useful for the sorts of things you
might want to use LDAP for, and existing apps talk to it using those
schema's.

For trac we hit 2 out of 3 of those sweet spot conditions (predefined
schema's and an existing app talks to it).  For the rest of the payment
member db stuff, we hit 0 out of 3.

Thus not surprisingly using LDAP for a backend database for would suck.
I mean really suck.  There is no ORM for it that would map it to
existing web frameworks, it has little in the way of locking, schema
definition is a job only a masochist would take on.

Thus if we use LDAP to store the auth details, we would end up using two
databases.  Payment / Member DB stuff that updated auth information
would have to have interfaces to both LDAP and the SQL database.

I am pulling stuff out of the air here as I have not done that read doco
about it, but I suspect we would be better off using OpenID as our auth
mechanism.  Trac supports it and MoinMoin supports it.  Ie, we make trac
and moinmoin openid consumers, in openid parlance.  There are lots of
OpenID providers out there, but if that is not sufficient Humbug could
provide one.

Although I am not sure it is a good idea, the interesting thing here is
the Humbug OpenID server can be done via LDAP.  There is an out-of-the
box OpenId server package for Debian which uses pam, and of course PAM
has a LDAP interface.  But, if you wanted to get things going quickly,
that is a hack that would work.

More information about the Sasig mailing list