Ask HN: LDAP as a service
Hi. I'm contemplating the idea of a Saas business, a LDAP as a service : a LDAP server and a web interface for account admin and users self servicing (password update/reset with tfa, account editing, org chart viewing, directory index..)
The idea it to help medium sized orgs to centralize credentials for third party solutions (like every oss project with LDAP integration) and reap the benefits : better security, less admin tasks, etc. It won't be something like a captive portal, or a complete SSO solution.
Each customer would get its own VPS instance with the solution deployed on it (LDAP server, web server..), for $149/m.
Suggestions ? Medium sized orgs that want LDAP (and might not have the necessary Linux / Unix skills) just use Active Directory. Also, if you don't wrap it in Kerberos, it might be difficult to gain adoption. I say this as someone considering themselves a LDAP SME having setup multimaster openldap with 68 slaves globally using delta syncrepl Good luck! Orgs do really expose their Active Directory server on the internet, to integrate with external servers ? Not entirely sure of your question. I'd think exposing your ldap service to the open internet is asking for very very bad things to happen. I'd expect a service like this would use Amazon VPC, a secure VPN to access it, or something like that. What kind of data do you envision being stored in this directory, user credentials, or other things? At $last_job, I was on a mission to put everything in LDAP. There is a custom OpenLDAP schema that the gnome.org sysadmin team (which I am an alumni member of) which allowed users to put in their ssh pub key via a webui. Hosts then run a cronjob every XX time period that put those ssh keys down (in a root owned directory/file so users can't change them), and was pretty slick. I also put DNS zone info and sudoers information into LDAP, as I already had a badass distributed datastore, ldap :) That being said, can you come up with a real use case where your service makes sense? Active Directory is hard to compete against, it is super cheap and a pretty solid kerberized ldap for SMBs. Classic use case: org want facilitate+centralize users management on owncloud+apache webdav+other oss app on external server (internet). I only saw AD used in intranets, if orgs would expose it on external servers (with/without VPN), then I'd better find an another idea. Capitalism has a way of weeding out bad ideas. I say go for it and see if there is interest. FYI for that use case, most companies (mine included) use SAML (http://en.wikipedia.org/wiki/Security_Assertion_Markup_Langu...) In specific, we use SAML to have our internal AAA LDAP infrastructure validate logins for a few cloud services such as workday and attask. Might be worth looking at saas (saml as a service :D) as well. Edit: This company does SSO with SAML 100% and they support pretty much all of the big apps you'd expect. http://www.onelogin.com/partners/partner-up/ I looked at SAML, it's a possible addition to the service. It may be touchy to integrate (opensaml-java), but definitely doable. Most orgs put an OpenLDAP proxy in front of their AD server. AD has multiple known crash vulnerabilities in its protocol parser (fuzzing attacks can easily break it) and is too slow to handle the load generated from open internet access. Howard, obviously no one is more of an OpenLDAP expert than you... You have users who expose OpenLDAP to the internet directly? I've got no qualms against OpenLDAP, it is amazing software, but that still seems insane. HN won't let me respond to your last comment, but I think that's a reasonable plan. Using LDAP directly over the internet in general sounds like a bit of a risky proposition. Perhaps do both that and SAML, then you make everyone happy. Again, good luck, I hope I was able to help you firm up your ideas. I digged some docs, I think I'll do LDAP+web for user self-servicing+SAML with Shibboleth+maybe OpenID. That will complicate the automated customer setup, but it'll cover many use cases. Thanks for the help!