LDAP service

1. About

TL;DR

The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over a network. Directory services play an important role in developing intranet and Internet applications by allowing the sharing of information about users, systems, networks, services, and applications.

2. Systems

2.1 Frontend

FQDN IPv6 IPv4
ldap.bfh.info
ipv6.ldap.bfh.info1
ipv4.ldap.bfh.info1

2.2 Backend

Warning
Always use the frontend DNS record

Never use the backend nodes directly:

  • backend may change without notice at any time (e.g. IP addresses, DNS records, configuration, etc.)
  • backend has no legacy support or grace periods, changes are implemented instantly
  • backend can be rebootet without notice at any time
  • backend access will soon be restricted

FQDN IPv6 IPv4
node1.ldap.bfh.info1 2a07:6b40::51 147.87.0.51
node2.ldap.bfh.info1 2a07:6b40::52 147.87.0.52
node3.ldap.bfh.info1 2a07:6b40::53 147.87.0.53
node4.ldap.bfh.info1 2a07:6b40::54 147.87.0.54
FQDN IPv6 IPv4
ldap-primary.bfh.info1 2a07:6b40::130 147.87.0.130
node1.ldap-primary.bfh.info1 2a07:6b40::131 147.87.0.131
node2.ldap-primary.bfh.info1 2a07:6b40::132 147.87.0.132

3. Features

3.1. ACLs

  • anonymous bind allowed from 2a07:6b40::/29, 147.87.0.0/16, and 10.0.0.0/8

  • legacy applications that do not support anonymous bind can use cn=read-only,dc=bfh with password bfh

4. Operations

  • TODO

6. Backlog

Legacy

  • remove ldap.bfh.science container and records

  • review and document ldap schema

Setup

  • regenerate containers with Debian 12

  • upgrade to current openldap

  • compact db regularly via ldap-tools

  • restricting backend subnet access to frontend and management only

  • decide about multi-primary vs proxy

Features

  • reject read-only bind on nodes from extern, so users don’t get a permission denied but immediate failre.

  • create low-privilege nodes with only subset of data (for external access), keep high-privileged information on internal nodes only

  • anycasting ldap.bfh.info

  • test environment

  • benchmarking

Known issues

  • no known issues

Notes

  1. current systems where ldap.bfh.info is pointing to are currently lifecycled and regenerated using their final IP adresses and backend names