
Ask HN: LDAP as a service - traxtech
Hi. I&#x27;m contemplating the idea of a Saas business, a LDAP as a service : a LDAP server and a web interface for account admin and users self servicing (password update&#x2F;reset with tfa, account editing, org chart viewing, directory index..)<p>The idea it to help medium sized orgs to centralize credentials for third party solutions (like every oss project with LDAP integration) and reap the benefits : better security, less admin tasks, etc. It won&#x27;t be something like a captive portal, or a complete SSO solution.<p>Each customer would get its own VPS instance with the solution deployed on it (LDAP server, web server..), for $149&#x2F;m.<p>Suggestions ?
======
SEJeff
Medium sized orgs that want LDAP (and might not have the necessary Linux /
Unix skills) just use Active Directory. Also, if you don't wrap it in
Kerberos, it might be difficult to gain adoption. I say this as someone
considering themselves a LDAP SME having setup multimaster openldap with 68
slaves globally using delta syncrepl

Good luck!

~~~
traxtech
Orgs do really expose their Active Directory server on the internet, to
integrate with external servers ?

~~~
SEJeff
Not entirely sure of your question. I'd think exposing your ldap service to
the open internet is asking for very very bad things to happen.

I'd expect a service like this would use Amazon VPC, a secure VPN to access
it, or something like that. What kind of data do you envision being stored in
this directory, user credentials, or other things?

At $last_job, I was on a mission to put everything in LDAP. There is a custom
OpenLDAP schema that the gnome.org sysadmin team (which I am an alumni member
of) which allowed users to put in their ssh pub key via a webui. Hosts then
run a cronjob every XX time period that put those ssh keys down (in a root
owned directory/file so users can't change them), and was pretty slick. I also
put DNS zone info and sudoers information into LDAP, as I already had a badass
distributed datastore, ldap :)

That being said, can you come up with a real use case where your service makes
sense? Active Directory is hard to compete against, it is super cheap and a
pretty solid kerberized ldap for SMBs.

~~~
traxtech
Classic use case: org want facilitate+centralize users management on
owncloud+apache webdav+other oss app on external server (internet). I only saw
AD used in intranets, if orgs would expose it on external servers
(with/without VPN), then I'd better find an another idea.

~~~
SEJeff
Capitalism has a way of weeding out bad ideas. I say go for it and see if
there is interest.

FYI for that use case, most companies (mine included) use SAML
([http://en.wikipedia.org/wiki/Security_Assertion_Markup_Langu...](http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language))

In specific, we use SAML to have our internal AAA LDAP infrastructure validate
logins for a few cloud services such as workday and attask.

Might be worth looking at saas (saml as a service :D) as well.

Edit: This company does SSO with SAML 100% and they support pretty much all of
the big apps you'd expect. [http://www.onelogin.com/partners/partner-
up/](http://www.onelogin.com/partners/partner-up/)

~~~
traxtech
I looked at SAML, it's a possible addition to the service. It may be touchy to
integrate (opensaml-java), but definitely doable.

------
SEJeff
HN won't let me respond to your last comment, but I think that's a reasonable
plan. Using LDAP directly over the internet in general sounds like a bit of a
risky proposition. Perhaps do both that and SAML, then you make everyone
happy. Again, good luck, I hope I was able to help you firm up your ideas.

~~~
traxtech
I digged some docs, I think I'll do LDAP+web for user self-servicing+SAML with
Shibboleth+maybe OpenID. That will complicate the automated customer setup,
but it'll cover many use cases.

Thanks for the help!

