Follow

There is nothing "lightweight" about 馃槱

@craig0990 with all the configuration management we have nowadays, I sometimes wonder if its really necessary anymore. Adding a user to 1000 systems is about as easy as adding the user to one system... At least with linux and ansible/puppet/chef etc. Good configuration management can solve this problem.

@charims @craig0990 I worked at a company where they used puppet to install your "user package" and SSH keys on every machine you needed access to. If you only needed an SSH key, that'd be one thing, but you still needed a randomly generated password (PGP encrypted and sent to your e-mail) to sudo; so on password rotations you'd still have to update password on every machine. The admins advocated against LDAP because ...reasons? It turned into a terrible fucking holy war. You do need LDAP/krb!

@charims The actual LDAP protocols and LDIFs themselves aren't too bad, and you can find libraries that are small, but once you try to tackle AD or have LDAP replication or add on kerberos or anything else and it does blow up into a beast. It's not as bad as SOAP which is not Simple at all, but I see @craig0990 's point.

@djsumdog @craig0990 My issue is just that, if you are setting up LDAP, almost guaranteed you want replication. I've managed several LDAP/Kerb setups in my day. I never want to do it again.

Seems we could do something a lot simpler with a decent API and an HA database solution. :awesome:

@charims @djsumdog as it happens, "all I really want" (谩 la The Spice Girls) is Single Sign On for a tiny suite of self hosted services. Some support OIDC, some support LDAP (some neither).

I now have running for OIDC, which in turn is now fronting OpenLDAP, but oh my word is LDAP the more esoteric of the two.

I think I understand that if you're used to this it's second nature, but as a newcomer, it's incredibly opaque. And people call complicated 馃槗馃槄

@djsumdog @craig0990 idk, seems like its possible to distribute your password hash for the shadow file to every system. This would let CM update your password everywhere. Yes, admins would have access to your hash, but they already do in the /etc/shadow file...

If you really need a solution, IPA (and M$ AD as much as I despise it) seems to do a good job if you need LDAP/kerb. I guess it depends on the size of your team of course. But # of systems shouldn't matter anymore.

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!