Cluenet – infrastructure

This is still a draft; it might even get discarded when restoring the wiki.

User accounts

All user accounts are kept in a LDAP directory; this allows them to be shared across all servers. The directory is currently hosted on OpenLDAP and mirrored across three servers using syncrepl; writes to any peer are instantly propagated to all others. Kerberos is used for secure authentication and removes the need to completely trust all servers with your password, as opposed to pure LDAP. (The LDAP directory also stores Kerberos realm data, which makes kprop unnecessary.)

Most information in the LDAP directory is accessible either anonymously or to all logged-in users, so you can browse it using ldapsearch, Apache Directory Studio, and various other tools.

For users, Kerberos (aka SASL GSSAPI or GS2-KRB5) is the preferred authentication method when accessing the directory manually, but TLS certificates (SASL EXTERNAL) or plain-text passwords (SASL PLAIN) are also available. To use EXTERNAL, you'll need to obtain a certificate with subject CN=You,OU=People,O=Cluenet from Cluenet's CA. To use PLAIN, specify your Kerberos principal as the auth ID; e.g. ldapwhoami -U You@CLUENET.ORG.

To summarize:

Kerberos realm:
CLUENET.ORG
Kerberos KDC servers:
Use SRV records, or kerberos.cluenet.org if not possible
LDAP base DN:
dc=cluenet,dc=org
LDAP servers:
Use SRV records, or ldap.cluenet.org if not possible
LDAP authentication:
SASL GSSAPI, GS2-KRB5, EXTERNAL, PLAIN, simple bind