-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On Wed, 2023-02-22 at 11:08 +0000, Marc wrote:
I don't even get what the advatages are of doing this with sql. If you use local replicated ldap and use local credential caching then your master ldap can go down without issues, even the local caching handle some local slapd issues.
Going to have to +1 this. LDAP also does multi-master replication, which can make failover easier via DNS (like with a round robin for ldap.mydomain), or multiple LDAP dictionaries for dovecot. The [big] problem with OSS Postgres is that it only does master/slave replication, with no plans to add multi-master replication to the code base (there is Percona and 2ndQuadrant, but for small outfits, and individual there is a price barrier there). Personally I love PGSQL as a DB, but for SSO I use LDAP - because that's what it's designed for (i.e. read more than written).
I guess the local caching is also faster. Afaik were databases not designed for this purpose and a better fit is ldap.
This is totally true. RDBMS were not designed with this kind of use in mind, LDAP was - it is, after all, a directory service. So unless your auth stuff is part of some larger DB "thing" the directory type solutions are not suitable for (how many table joins, or other extensive SQL actions are taking place on that DB) then LDAP is the better way to go, and extending LDAP with custom schemas is simple - just grab an IANA number for you, or your organisation, so that you don't trample on any other schema out there. I have a custom schema that I use for postfix/dovecot - it's simple, quick, and efficient without the DB overhead ... and I get the multi-master replication in OpenLDAP.
Nikolai Lusan Email: nikolai@lusan.id.au -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAmP2/+4ACgkQ4ZaDRV2V L6RRHxAAnSpKmYdg2+51CuSgxdQ8fHY65CRwflqQQzIEGIpApmgzh4fl5YkB8+qw utLe5ao6Qd8dIbWmENsLVEZIHeHr9fsmENXXhgF1DIcHwSH12rZHC5pt0zjKWh3j +dmmQ8/tlg/A3HbeEpMuFiVX02Zk3pddMW3D/ja7aAWXjecNmDHqxbghdhJrEzNy 3LiZQsGLQ0RvPiqULtk4ObSmjvuqZ9yJmnmV0IZTY1nRqJ74rHghwQOVK9HTTiMG MizBLqCzbA3suV+TyYxEGE02EtTOGAcWyTcJWY5EGDs1K9GHNML6ZhimZepMmBxL Bb4wr3rohNchdBiXyrACF0eNPJKMdMMWGAzySbWYiiXLRyyyM+KWjzvz6HDLmpXK gCAwY4l8oPRf7Uw3XD1yVyZY6yPrkWV3AZoLL+UYc9N48sApQMG1xh1PcgsfU3+0 Y3FkFy8iltxENh2diLZo5ikfVmQ+YxAZEr5Epl/xmuj30u8tHqpbANKEcvJkhXNG 4bUZ2d+6zxj25vEQq+RkVVRnsfyXNlCaD+E8yyegqRNFnTJAlUlcFWCQ60TcnWqX JKDDOTQj3rbfDZQMeTjbGfW5Fa8PJg5uRbnulXrK7RCizInoDIF8OpmXW4Hg4Ob9 1DiOJeQoefxIIkqs8Mlfj8t4mNy1/iZqs52DcTXRQVqogDesBWw= =ZyC3 -----END PGP SIGNATURE-----