[TriLUG] LDAP provisioning/update best practices

Rick DeNatale rick.denatale at gmail.com
Fri Jul 14 10:28:45 EDT 2006


I'm looking at a "self-service" web app which would allow people to
request a shell account, and subsequently maintain their contact info,
request password resets via mailback confirmation, etc.

We want to keep all of this info in an LDAP directory (implemented
with OpenLdap of course).

The idea is that when someone asks to create an account, an ldap entry
would be created which would be marked as expired, ready to be "turned
on" after someone on the staff authorized

I've been looking around for examples of how others do similar things
without much luck.

My concern is that ldap, being a mostly read, and lightweight
"database" lacks some of the facilities for concurrency
control/transactions.

I need to do things like validate that usernames, and userids are
unique.  It could be done by enumerating the existing values from the
LDAP directory, but I can't see how to do it, together with the update
as a transaction.

Although it's probably unlikely that two people would be creating
accounts at the same time, I'd like to close the window anyway.

So I guess what I'm asking is, do systems like this really work
directly with the LDAP directory, or is it more common to keep most or
some of the information in say and RDB and drive changes to the LDAP
directory from that?

-- 
Rick DeNatale

IPMS/USA Region 12 Coordinator
http://ipmsr12.denhaven2.com/

Visit the Project Mercury Wiki Site
http://www.mercuryspacecraft.com/



More information about the TriLUG mailing list