All geek questions in one place

Recommend local LDAP storage for development

Our project uses an LDAP repository to store users. In production, this will be Active Directory. For development, we seem to have several options:

  • Install the AD LDS instance that everyone uses
  • Install an AD LDS instance on each development machine

We try to make the “F5” experience as easy as possible, so installing things or using the AD central repository are not my favorite ideas.

Other LDAP servers exist, such as Open LDAP. I was hoping there might be an LDAP server that just talks to the XML file. This will allow us to store the XML file in the original control and have something fast and working. Our nightly builds will still use AD to detect any differences, but the hope is that we are using LDAP, this should just work.

Can you recommend an LDAP implementation that works well for development from scratch-config without sharing?

+4
source share
3 answers

I used ADAM, then LDS for a fairly large-scale site (several DCs, millions of executives, ~ 1000 auth / profile-get TPS).

During dev, we launched an engineering environment similar to DB, which affected both options:

  • Products - distributed, stable, available for release, deployment only, prod customers only.
  • Test - distributed, stable, test, testable, similar equipment for production.
  • Integration is a joint, less volatile, test, tested deployed, similar equipment for production, built depending on the requirements of the cycle.
  • Development is collaborative, unstable, testing belongs, dev is deployed. Rebuilds weekly using change scripts.
  • Private - individual, very variable, privately owned, privately owned. Built on demand using test scripts.

We relied heavily on scripts to deploy, migrate the schema, and fetch data between environments. For a while, PITA wrote scripts for advancing into a common dev, but this forced us in the mentality of source control to generate circuits and test data very early in our cycle.

While this was pretty overhead on v1, in future versions it made updating and fixing a live system very natural.

The role of integration units has changed over time in the dev loop, moving the current version or future version of the circuit closer to the end of the loop.

It may collapse some of these roles - it depends on the prior art, integration requirements, and the consequences of errors. The cost of removing our systems offline was potentially millions — the rigor was worth it.

+2
source

AD, because LDAP has its own characteristics, so if you need to be multivalent, it is wise to test on several LDAP servers (OpenLDAP, Apache Directory Server, AD, etc.).

In addition, AD in production has several (disk) advantages that must be considered:

1) Starting AD just like LDAP is a bad idea - it's too heavy and resource intensive; 2) Do not forget that user accounts in AD are real Windows accounts (i.e. security issues); 3) AD is ideal for multisite replication, but it is problematic to transfer your solution to another LDAP server (it is impossible to export password hashes from AD by default);

+1
source

A common LDAP server is fine, but if you really target LDAP, not just AD, then you should have several LDAP servers with different software. We have test ADs and OpenLDAP virtual servers, which we use for development and testing, and are faced with many small differences. In production, we support several other servers, but I don’t know what’s from hand to hand.

It is also very easy to configure and configure. For AD, we ran into some problems with the fact that we needed an AD test, and he didn’t want him to interfere with the real AD company. OpenLDAP as a whole was painful to initially configure and load some data. I myself did not perform these tasks, so I can not provide more detailed information, sorry.

After configuration, they work fine, and all developers and testers use these two servers. We use naming conventions so that everyone knows which users are their users to add / edit / delete without stepping on each other. I do not see the need for each developer to have their own LDAP server.

0
source

Source: https://habr.com/ru/post/1303194/

More articles:


All Articles