Edit

September 21, 2004

Community infrastructure

Discussion on how to clean up user management and integrate various systems coming online shortly.

community_systems_architecture_ldap.jpg

Hi Lucky,

Thanks for offer to consider our LDAP pickle. I've tried to map out what I'm looking for as to LDAP with the attached JPEG.

Essentially I'd like to migrate a small user database to LDAP and have the technologies marked in light grey authenticate to that instead of what they use currently.

i.e.
Apache - flat file managed by htpasswd
MoveableType - MySQL table

At the moment it'd only for in-house use (a virtual team working on a project described in the PDF) but we need to expand this out to a wider group over time (e.g. beta testers, online community members).

I'm assuming LDAP is the recommended option but happy to hear of any alternative options. This is a fledgling film company, no IT powerhouse, so ideally the setup will be something simple and standard.

Posted by .M. at September 21, 2004 11:37 PM
Comments

Lucky responds:

Hi Michela,

There are several ways to solve your problem and LDAP is one of them. It
is the one more suited for Internet related authentication/authorization,
but you could do the same thing with a 'normal' database. The advantage
LDAP gives you is the fact that it is more easily integrated with typical
Internet applications. When more applications have need for
authentication/authorizations, as is the case in your design, then LDAP is
definitely an advantage over a regular database like MySQL. You don't need
to do any programming, it is all built in. Another advantage is
replication of users from one LDAP to another.

But... Your environment also has message boards, blogs and other systems
that probably need a database to store their content. Introducing an LDAP
server will still leave you with the need for a database. You can write
these systems your own, or you could buy standard ones. Whether these
standard systems support LDAP authentication and 'Database content
storage' I don't know, but I doubt it. I did a quick search on the MySQL
site and LDAP and it came up with no relevant hits.

The goal should be to try to have only one point where your credentials
(authentication/authorization information) are for the obvious reasons.
But in practice this is not always possible. What is usually done is to
introduce a master application that controls the storage of credentials in
the various places. An administrator then only needs to administrate the
users via this master application. This process is called Identity
Management. (It happens to be that I'm now hired by an English company
called Safestone Technologies, that sells identity management solutions.
Unfortunately these solutions are not free, and might not do precisely
what you want.)

Is this making any sens to you?

The questions you need to ask yourself are: how much am I going to program
myself, how many applications are the users allowed to use besides the
Internet portal? If everything is done via the portal with a completely
tailered web application and where a database is needed to store content,
then perhaps there is no need for LDAP. ( If you want to do client
authentication with digital certificates then LDAP is probably a must, but
my guess you will use username passwords for now.)

Regards,

Lucky

On Mon, 20 Sep 2004 13:12:40 +0100, Michela Ledwidge
wrote:

>
> Hi Lucky,
>
> Thanks for offer to consider our LDAP pickle. I've tried to map out
> what I'm looking for as to LDAP with the attached JPEG.
>
> Essentially I'd like to migrate a small user database to LDAP and have
> the technologies marked in light grey authenticate to that instead of
> what they use currently.
>
> i.e.
> Apache - flat file managed by htpasswd
> MoveableType - MySQL table
>
> At the moment it'd only for in-house use (a virtual team working on a
> project described in the PDF) but we need to expand this out to a
> wider group over time (e.g. beta testers, online community members).
>
> I'm assuming LDAP is the recommended option but happy to hear of any
> alternative options. This is a fledgling film company, no IT
> powerhouse, so ideally the setup will be something simple and
> standard.
>
> Best,
> .M.
>
> Michela Ledwidge
> Film-maker
>
> +44 (0) 207 723 4764(phone/fax)
> +44 (0) 7775 840 950 (mobile)
> http://michela.thequality.com
> http://modfilms.com
>
>
>
>
>> -----Original Message-----
>> From: Frank Tiddeman [mailto:frank_tiddeman@yahoo.com]
>> Sent: 17 September 2004 08:38
>> To: Michela Ledwidge
>> Cc: Lucky
>> Subject: RE: Re-mixable film
>>
>> Michela,
>>
>> Lucky says he is willing to help with your LDAP probs.
>>
>> I am sure he would also be interested in the project
>> itself if you want to tell him about it.
>>
>> Hope it gets sorted quick.
>>
>> Frank
>>
>>
>>
>>
>>
>> ___________________________________________________________ALL-NEW
> Yahoo!
>> Messenger - all new features - even more fun!
>> http://uk.messenger.yahoo.com

--
Lucky @ www.soulsonic.com / www.lucianopinna.com / www.stunfish.com Soulsonic Design - Show what you got, to get what you want.

Posted by: .M. at September 21, 2004 11:38 PM

Hi Lucky,

Thanks for the long reply.

> Is this making any sens to you?

Yes but I'm some advice based on the tech I listed. I.e. what do you recommend we do next?

I'm not aware of any drop-in user management system that could make life easier in this case. If there is a commercial package that suits the diagram I sent you, I'd consider it.

I understand your points and in the past I actually set off down the LDAP route only to give up on not being able to set up the LDAP data and maintain it effectively due to my ignorance and impatience. It still seems to be the best way to integrate certain applications but I'm looking for a sanity check on that and help in the set-up if possible (awful distraction from film-making! :-). You're right that MySQL will still be in the equation and the auth data may be better off stored there but either way I need make a decision which way to go soon and get some better form of user management than the manual process at the moment.

> The questions you need to ask yourself are:

>how much am I going to program myself

As little as possible. I want to mix and match off-the-shelf systems wherever possible.

> how many applications are the users allowed to use besides the
> Internet >portal?

Indeterminite. We need to bring on new apps relatively quickly on-demand without worrying too much

If everything is done via the portal with a completely tailered web >application and where a database is needed to store content,
> then perhaps there is no need for LDAP. ( If you want to do client
> authentication with digital certificates then LDAP is probably a must,
> but my guess you will use username passwords for now.)

There is no portal, that's the point. I have a loose federation of systems which are not integrated (and don't need to be apart from access permissions) and I'm trying to establish whether there is a way for the federation to be managed better without going to the trouble establishing a portal architecture. It may be that there's no advised way to unify things better without extensive migration but there does seem to be a lot of thought in this area so I'm hoping someone can help us make it happen.

I don't have a need for certificates but I do want to have some flexibility in terms of moving services around and introducing new applications (hence the reluctance to move lock-stock to a portal frameworks, regularily considering moving to Zope).

You’re right in that there is no out-of-the box solution but I'm looking for advice in how best to proceed. There is some integration info I can see (e.g. for Apache and Movable Type) but I'd want to get someone who's au fait with LDAP to assess.

e.g. http://www.decafbad.com/twiki/bin/view/Main/MovableTypeLDAPAuthors (MovableType) http://twiki.org/cgi-bin/view/Plugins/LdapPlugin (Twiki) http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html (Apache) http://cerebus.sandiego.edu/~jerry/blog/article.php?story=20031126163833533 (phpBB)

Thanks

.M.

Posted by: .M. at September 21, 2004 11:39 PM
Post a comment









Remember personal info?