Hi
Sorry for a long post and maybe my poor English.
I’m writing a proposal where school staff and students from about 10-15
municipalities should be able to login to a Rails site, around 50k of
users that is.
Most of the users will only log in about 5-10 times a year so the load
on the server won’t be too high.
Roles a person can have are staff or student and this should
automatically be set from the directory. Don’t know exactly how thou.
The municipalities are using both AD and Novell and a mix of different
mail systems. Every user have both a directory-account and a
mail-account so which of these directories that will be used is not
decided yet, maybe a mix dependant on which directory hold the best
“role-information” in every municipality.
The user should be able to login to the site with his/her email address
and preferably with the existing password in original directory (this
may be a problem depend on which solution we choose)
The information we need from the logged in user is (assuming that the
directories have that information)
- Is it a student or staff?
- E-mail address
- School-id
- Class (if it’s a student that is)
- First and last name
Before the user should log in, we will ask for the municipality and if
he/she is a student or staff.
Possible solution 1
Let rails do a LDAP-connection (SSL) on every logon-attempt
Thoughts:
Do we have to connect to the LDAP-directory on every page-load (action)
or only when the user logs in? Can we cache the lookup so when the
connection is broken the cached lookup is used instead?
Some municipalities have to let our server communicate with servers on
their internal networks or they have to setup an LDAP-directory on their
DMZ.
Possible solution 2
Build a master LDAP-server that every municipality fills with info from
their own directory, for example uploads an LDIF-file through FTP (SSL).
That file is then imported.
Thoughts:
Some directories (AD for example) won’t export the password, so every
user have to enter their email address and a “new” password, followed by
a mail to the user for email confirmation.
Possible solution 3
As solution 2 but store the accounts in a user-table in the database
Thoughts:
I believe that in maybe 5 years all this municipalities have a shared
metadirectory, that means that solution 2 is easier to change to use an
ldap-directory based on the metadirectory instead.
Possible solution 4
???
I really would appreciate some thought on this…
P.S. I have ordered “Enterprise Integration with Ruby”, I will read part
“LDAP: Harness the power of directory services”