Can it be used to consolidate more than One Ldap servers.
More than one server can be set here separated by spaces or commas. They will be tested in the specified order.
What am curios though is, how does it handle port, and password fields for the multiple ldap/AD servers in this case…
unless someone has tested that scenario
LDAP has already built-in sync, same/similiar as AD.
All concerned servers have therefore exactly the same auth info.
Port? That’s defined: LDAPs uses port 636.
If one goes down, the others have the same info.
Consolidation does NOT imply consolidating “different” LDAP servers, that should be clear!
You can also change ports eg for Apache / nGinx / IIS.
But: a web-page runs on port 80 or port 443, and NOTHING else.
Any “funky” port use for a web page will only result in not being available externally - most hotspots only allow these two ports.
And to be honest, there is no really legit need to use “funky” ports for anything which uses a so called “well known port”.
Anything else is just “security by obscurity” - or being a cheapskate trying to use one IP for something which would need more IPs…
in my cases, i did not mean consolidation in the sense you understood. what i meant was. even if i have multiple Ldap servers, which have not correlation with one another.
then it would be possible to use the same Lemonldap installation, for SAML/Openid and the rest for Authentication on client apps,
rather than deploying separate Lemonldap instances in this case.
for most customer facing web pages, but not really for other stuff. the same way, you dont visit login-to-my-neth-server.com to access the Nethserver gui, as well as proxmox and other tools. they run on a different port, and its sometime for good cause and reason.
Most java systems, by default don’t use port 80, similar to Nodejs its not necessarily security by obscurity, but merely to avoid headache, conflicts and overheads.
I know, and that would present you with MAJOR issues.
You’re only seeing the imagined savings trying save the very expensive software needed to consolidate different LDAPs (independent) like you imagine.
To make your system completly insecure, I’d just have to create the same user on both LDAP servers involved. LemonLDAP would not be able to differenciate.
So a “lesser” user would get elevated in permissions…
Your understanding of security is really “out of this world” and a bit too simplistic.
Comparing a “admin” page like Proxmox or any network printer is like comparing Apples with a meat pie. No webhoster offers these kinds of pages commercially!
These may use a browser to be accessed, but are NEVER considered as web-pages!
BS comparison, sorry!
Yes, but these are JAVA applications, not a webpage.
And where are these Java Apps viewed with? Yes, a reverse Proxy inserting the unaccessible Java into a common webpage, again running on ports 80 or 443.
If not, it’s not a web-page, but rather an administrative page…
And again, the main reason is it’s not easy to use a port <1024 for JAVA (These are well known ports…). The reason is security, as using ports <1024 means starting with root, not a good idea…
understandably, i have only about 6 year deploying systems to servers, while you have well over 20 years…
so cant argue with that.
But All these, begs a new Question.
Doesn’t or cant Lemonldap handle a case of similar username being used, i believe its a use case that they should and must have thought about when they were building the system.
because, while Ldap is one of the options, Lemondlap does offer multiple other options for backend authentication. and i think, they can all be used more than one at a time. so how does it handle this…
This can only work, when the “source” is defined.
So the user logging in to any interface using LemonLDAP has to exist only once in the global context.
A default could be LDAP, others would need to be specified.
Example:
User: oneitonitram (LDAP user oneitonitram)
User oneitonitram.oid (OpenID user oneitonitram)
These are only samples of how it could be done…
But it has to be absolutely clear for the system, which user is meant…
Something like
USERNAME.SOURCE would work…
Think about mail and the typical webmaster mail account/user on a hosted public webserver.
Just using webmaster won’t work, the server can’t differenciate.
security concerns aside the only way I think that would work is if the uid is mapped to say email (userPrincipalName)with different domains requiring the login to be user@domain.tld that said I’m not sure how you would define individual anonymous bind accounts (i.e.,ldapservice@domain.tld) and mail servers
but while security is definitely an issue I think the bigger issue would be availability if that server goes down and has say five ad set up thats five customers that would be mad
Email is workable, like my example with “webmaster”, but tends to be longer than a short additional identifier. Email is more common for general public, but in corporations often Division, Site are used.
That’s why one has several auth sources (all with the same content) for redundancy…
I mean don’t get me wrong I do see the perceived benefits of having it on one server but in practice I suppose it’s like having a long list as opposed to multiple it’s easy to add but takes longer to find certain things maybe bad analogy
is not really having any form of redundancy, better availability…
Sorry Shane, but here you sound like the typical Windows user, accostomed to Windows local search, not something like Google… Google will find anything from thousands, if not millions of sources…
The more common the name, the more “hits” you’ll get, true. Then again, you won’t find really many “real” John Does…
But the thing is: the better the engine, the easier and faster the “search”…
Think of a really large company or corporation, with over 100’000 employees. Sure you’ll have one or more with the same names. No issues really. But all can eg log in to a “Intranet” site, and using SSO they’re then logged in (or “enabled”) on whatever internal sites they need to…
this is true but I should have phrased it like if you were writing a list on paper (can’t believe I said that ) it’s seems easier to just add the next thing but if you get a list of lots of things it’s easier to have them organised in groups in the event you need to actually find the thing you wrote down
) it’s seems easier to just add the next thing but if you get a list of lots of things it’s easier to have them organised in groups in the event you need to actually find the thing you wrote down