[Freedombox-discuss] LDAP

Lorenzo lorenzo at usucapio.net
Wed Oct 9 09:41:56 UTC 2013

Dear all,

I was checking the TODO list prepared Nick Daly and I see some references
to integrating LDAP in the FB. I tried to find more about it but I could 
not find
anything in the mailing list archives nor on the wiki. I'm writing this 
email because
I spent some time thinking about the need of LDAP in isolated hosts some 
ago and I wanted to share my findinings.

I see the following reasons for including an LDAP daemon:

1) Centralized user authentication: all services on the box can authenticate
their users to the same directory. Moreover the directory runs under a 
user so that a compromised service cannot directly get hold of the password

2) Centralized storage of configuration settings with fine grained 
access control.

3) Read only directory of users of the box (I write read-only because 
LDAP editors
are quite unknown to most people)

For these three usages I think there are better ways to do them than 
using an LDAP
daemon. Namely:

1) Any Debian system already has a centralized user directory, i.e.
/etc/passwd . It is possible to authenticate against this database from most
daemons by using sasld. Using sasld also ensures that the service requesting
the authentication doesn't have direct access to the password storage. sasld
also uses pam so it is very simple to setup things like, "user x can access
service y but not service z". Finally this approach works by using simple
plain files. I implemented this and it works well, if it is useful I can 
share the config

2) Phlint is not running as root and doesn't directly own the configuration
files it can change. So the access control can be done when invoking the 
that modifies the config (i.e. debconf). I never tried this personally, 
but I guess
it should work.

3) A list of the users of the box can be published over XMPP to all its 
users by
pre-adding all users of the box to the roster of each other. To store 
address books the standard is nowadays CardDAV, there are clients for 
any OS.
I see therefore little interest in using LDAP in this case.

For these reasons I think it's not necessary to put LDAP in the freedombox.
Maybe I'm overlooking something (maybe some critical daemon is incompatible
with SASL?). I hope what I wrote can be of help in the design, I'm 
curious to
hear what are the other opinions on this topic.


More information about the Freedombox-discuss mailing list