This is pure BS.
Any hosted Webpage will use ports 80 and/or port 443…
Otherwise it’s not “Web-hosting”!!!
Very simple!
in my cases, i did not mean consolidation in the sense you understood. what i meant was. even if i have multiple Ldap servers, which have not correlation with one another.
then it would be possible to use the same Lemonldap installation, for SAML/Openid and the rest for Authentication on client apps,
rather than deploying separate Lemonldap instances in this case.
for most customer facing web pages, but not really for other stuff. the same way, you dont visit login-to-my-neth-server.com to access the Nethserver gui, as well as proxmox and other tools. they run on a different port, and its sometime for good cause and reason.
Most java systems, by default don’t use port 80, similar to Nodejs its not necessarily security by obscurity, but merely to avoid headache, conflicts and overheads.
1 Like
I know, and that would present you with MAJOR issues.
You’re only seeing the imagined savings trying save the very expensive software needed to consolidate different LDAPs (independent) like you imagine.
To make your system completly insecure, I’d just have to create the same user on both LDAP servers involved. LemonLDAP would not be able to differenciate.
So a “lesser” user would get elevated in permissions…
Your understanding of security is really “out of this world” and a bit too simplistic.
Comparing a “admin” page like Proxmox or any network printer is like comparing Apples with a meat pie. No webhoster offers these kinds of pages commercially!
These may use a browser to be accessed, but are NEVER considered as web-pages!
BS comparison, sorry!
Yes, but these are JAVA applications, not a webpage.
And where are these Java Apps viewed with? Yes, a reverse Proxy inserting the unaccessible Java into a common webpage, again running on ports 80 or 443.
If not, it’s not a web-page, but rather an administrative page…
And again, the main reason is it’s not easy to use a port <1024 for JAVA (These are well known ports…). The reason is security, as using ports <1024 means starting with root, not a good idea…
This would be an absolute security nightmare!!!
if you put it this way, it makes a lot of sense.
understandably, i have only about 6 year deploying systems to servers, while you have well over 20 years…
so cant argue with that.
But All these, begs a new Question.
Doesn’t or cant Lemonldap handle a case of similar username being used, i believe its a use case that they should and must have thought about when they were building the system.
because, while Ldap is one of the options, Lemondlap does offer multiple other options for backend authentication. and i think, they can all be used more than one at a time. so how does it handle this…
something to research.
No need to research this.
This can only work, when the “source” is defined.
So the user logging in to any interface using LemonLDAP has to exist only once in the global context.
A default could be LDAP, others would need to be specified.
Example:
User: oneitonitram (LDAP user oneitonitram)
User oneitonitram.oid (OpenID user oneitonitram)
These are only samples of how it could be done…
But it has to be absolutely clear for the system, which user is meant…
Something like
USERNAME.SOURCE would work…
Think about mail and the typical webmaster mail account/user on a hosted public webserver.
Just using webmaster won’t work, the server can’t differenciate.
webmaster@domain1.com
webmaster@domain2.com
can easily be differenciated.
This has existed since over 30 years!
1 Like
security concerns aside the only way I think that would work is if the uid is mapped to say email (userPrincipalName)with different domains requiring the login to be user@domain.tld that said I’m not sure how you would define individual anonymous bind accounts (i.e.,ldapservice@domain.tld) and mail servers
but while security is definitely an issue I think the bigger issue would be availability if that server goes down and has say five ad set up thats five customers that would be mad
Email is workable, like my example with “webmaster”, but tends to be longer than a short additional identifier. Email is more common for general public, but in corporations often Division, Site are used.
That’s why one has several auth sources (all with the same content) for redundancy…
For 5 ADs, that’s at least 10 servers… 
1 Like
I mean don’t get me wrong I do see the perceived benefits of having it on one server but in practice I suppose it’s like having a long list as opposed to multiple it’s easy to add but takes longer to find certain things maybe bad analogy
is not really having any form of redundancy, better availability…
Sorry Shane, but here you sound like the typical Windows user, accostomed to Windows local search, not something like Google… Google will find anything from thousands, if not millions of sources…
The more common the name, the more “hits” you’ll get, true. Then again, you won’t find really many “real” John Does…
But the thing is: the better the engine, the easier and faster the “search”…
Think of a really large company or corporation, with over 100’000 employees. Sure you’ll have one or more with the same names. No issues really. But all can eg log in to a “Intranet” site, and using SSO they’re then logged in (or “enabled”) on whatever internal sites they need to…
My 2 cents
Andy
1 Like
yes
this is true but I should have phrased it like if you were writing a list on paper (can’t believe I said that 
) it’s seems easier to just add the next thing but if you get a list of lots of things it’s easier to have them organised in groups in the event you need to actually find the thing you wrote down
1 Like
That’s like looking for who uses a specific phone number - in an old style telephone book(s)…
Days? Weeks? Months? Years?
And just the country (eg India or China vs. Australia) could make years of difference…
Be glad we’re in the digital age!
1 Like
reminds me of a scene from back to the future 2 were the main character is showing off playing a pinball machine and 2 kids look at him and say “you mean you have to use your hands thats like a baby’s toy’”
1 Like
I’m still waiting for someone to put a telekinetic keyboard on the market…
Throw in a 3D telekinetic mouse, and we’re getting there.
Upgrading the human being to be telekinetic-capable might be a touch more difficult, along the lines of: you can make something “idiot-proof”. But who defines what level is “Idiot” and what to do with those who don’t even make the Amoeba level?
1 Like
Plus 1 for technomancer implants
1 Like
Add in the Option to have these really nice Steam-Punk styled…
1 Like
Well, that escalated quickly. I’ve split this discussion off into its own topic, as it doesn’t really seem to have anything to do with the installation.
Martin, your questions are getting into some advanced usage of LLNG, and you’d probably be better off asking through their support channels. I’m not aware of a way to set separate passwords for separate LDAP servers, though it’s possible I’m just missing it.
It sounds like your objective is to authenticate to one set of resources using one LDAP server, and to another set using another LDAP server–is that correct? If it is, I’m not sure LLNG can do that, but again I’d suggest their support channels: LemonLDAP::NG - Contact
Sure, and ldap+tls uses 389 by default–and both can use different ports if needed or desired. Why that would be done is really beside the point (but aside from “security through obscurity”, at least one other possible reason would be port conflicts–perhaps you’re running more than one LDAP server–possibly with different software–on the same machine). But the lengthy and somewhat heated digression about port usage is irrelevant; Shane correctly answered that the port number can be specified in the server host URI (as it can in pretty much any URI).
Nonsense, as you know perfectly well. Yes, pages that are intended to be open to the public are almost always on ports 80/443 (even then, I’ve seen exceptions, though rare). But internal stuff can, and routinely does, run on all kinds of ports, for a variety of reasons–one being, as you’ve mentioned, a form of “security through obscurity”; one being that it makes firewall configuration easier, so that you can control access to different applications by different IP/network ranges; one being that it’s a different piece of software, so it can’t use the same port being used by another piece of software; one being that the software in question doesn’t (and doesn’t want to) run as root, so it can’t bind to a <1024 port–doubtless there are other reasons as well.
Not sure what you’re saying here, or why you think it’s relevant.
Huh? The further I read, the more bizarre this gets. No, it has nothing to do with the ports; it’s all about virtual hosts and (if TLS is in play) SNI. You can serve hundreds–or thousands–of domains on the same IP, and same ports, that way. Sure, they probably use a different port for their admin pages and such, but that really isn’t relevant.
I guess you’ve just changed the definition of web page to something that’s only accessed over ports 80/443. If that’s the case, you do you, but your insistence on this as an absolute seems a little odd.
1 Like
We are talking about hosted webpages, ie PUBLIC…
What you are talking about are institutitional or organizational stuff, and there you can do as needed. For public access, uing other ports than 80 and 443 just defeats the purpose of a public web page…
This is a classic example of "Home / Amateur usage. If it’s professional, you can “afford” 2 IPs…
A SC Justice just doesn’t “do” a normal divorce case…
And: Martin here IS looking for something to offer as a professional service (commercial).
This:
“most hotspots only allow these two ports.”
is only relevant for “public” webpages.
Otherwise, it did get a “bit” lengthy, and very Off topic. So splitting was the right thing…
My 2 cents
Andy
But it does raise kind of an interesting question. It’s trivial to host multiple pages/sites/domains on a single IP, even if they’re hosted with different software, by way of virtual hosts, SNI, and reverse proxies. But I don’t know if there’s LDAP proxy software that works like, say, HAProxy–so that a connection attempt to ldaps://ldap.domain1.tld gets transparently routed to one server, while ldaps://ldap.domain2.tld goes to a different one.
But in any event, while there may be a variety of issues with Martin’s plan, port numbers aren’t one of them.