We've been playing with LDAP authentication and making the RADIUS server work with it. Skylar has led the way in optimizing OpenLDAP performance. FreeRADIUS has a number of authentication modules, among them a working LDAP one. A request from upstairs has initiated a look into the latest version of EZproxy, the software that controls access to the library's online journal and database subscriptions.
This diagram shows how the future authentication system will work. The primary question at this point is whether we will use OpenLDAP or Sun ONE (iPlanet) for the directory server. So far, performance of OpenLDAP looks good, although it can be seen to degrade when running a substring address search (like the kind found in the Mozilla LDAP address book). Skylar found that indexing the LDBM database makes a huge difference in search times (not surprisingly). It also appears that the cache sizes may play a significant role. Currently, a test instance of the LDAP server on SHANTI has the following specified:
cachesize 8192 dbcachesize 20971520 index objectClass eq index uid pres,eq,sub index uidNumber eq index gidNumber eq index rid eq index memberUid eq index cn pres,eq,sub index mail,displayName,givenName,gecos,sn eq,sub
In general authentication and authorization, the most common lookups will be uid, uidNumber, gidNumber, and rid (Samba unique identifier). Indeed, turning on these indices greatly speeds things. The last index line makes Mozilla address book searches much faster, although it doesn't solve the problem completely. The cachesize entry indicates the number of directory entries to keep in cache, while the dbcachesize entry indicates the amount of memory to allocate (in bytes) for the index cache. It's possible that both of these could be significantly increased; there's still at least 300 Mb of free memory on SHANTI with the current settings, and RAM is easy to get.
The next step is to obtain a copy of the Sun ONE directory server and test its performance on one of our Solaris machines.
The authentication diagram shows that RADIUS will still be used for a number of authenticated services. I have built a FreeBSD package of FreeRADIUS 0.7 that includes LDAP authentication. This will replace the current hand-installed FreeRADIUS installation on SHANTI. The salient parts of the radiusd.conf file are within the modules section:
ldap {
server = "ldap.earlham.edu"
basedn = "dc=earlham,dc=edu"
filter = "(uid=%u)"
start_tls = yes
ldap_cache_timeout = 120
ldap_cache_size = 64
ldap_connections_number = 10
password_attribute = userPassword
timeout = 10
timelimit = 10
net_timeout = 5
}
Of course, ldap must be mentioned in the authorize and authenticate sections as well. This all works quite well.
EZproxy ties into this as well. Some of our subscriptions will require a finer grain of access control than we currently have with the proxy software (version 1.4g). Apparently, the current version (2.0i) adds a bevy of authentication systems and the ability to use group authorizations. Within the ezproxy.usr configuration file, it will be possible to specify something like:
::group=Default+Restricted ::acctype=student,ldap=ldap.earlham.edu,uid=$U,ou=Students,dc=earlham,dc=edu ::acctype=employee,ldap=ldap.earlham.edu,uid=$U,ou=Employees,dc=earlham,dc=edu ::group=Default ::acctype=others,ldap=ldap.earlham.edu,uid=$U,ou=Others,dc=earlham,dc=edu
This will allow users authenticated in the Students and Employees organizational units of LDAP to have access to the databases marked as Default and Restricted while those in the Others ou only have access to the Default databases. The "acctype=group" is a CGI variable passed by the login form, although I find that it's probably not necessary. This will require us to be a little more diligent in defining groups and organizational units (such as students, employees, alumni, prospectives, seminary affiliates, etc.).
The corresponding part of the ezproxy.cfg file that marks the databases is
Group RestrictedPosted by Rowan Littell at March 14, 2003 09:04 AMT Restricted database
U http://www.example.com/privatedb
D www.example.comGroup Default
T FirstSearch
U http://newfirstsearch.oclc.org
D newfirstsearch.oclc.org