Jay Austad wrote, On 11/03/09 10:34: > Looking for a good full featured LDAP server. This is for home/ > personal use, so it doesn't have to service a billion queries per > second. > > I'm looking for the following features: > - Kerberos > - Easy integration with RADIUS or built in radius > - Easy integration with two-factor auth (like WikiD or TripleSec) > > I'm looking at OpenLDAP, OpenDS, and ApacheDS. ApacheDS seems to do > everything I want, but the documentation for it is horrid. > > Are there any good resource for setting up an LDAP schema? > -- I've been using OpenLdap for a while and it's worked very well here. Unfortunately most of my guides that I used to set everything up died in the Gentoo Wiki backups, but a few are still around. http://www.gentoo.org/doc/en/ldap-howto.xml As far a schema editing, I used google for most of it, but I've found the guides on zytrax to be very helpful. LDAP for Rocket Scientists - http://www.zytrax.com/books/ldap/ Most of my ldap work is done in phpldapadmin. It's simple and has some nice options for displaying/editing entries. I use it a lot for maintaining records and doing minor changes. For major changes, I just use the built in ldapsearch and ldapmodify commands. If I add a new field to the schema and need to default it for a few hundred records, I find it easier to run ldapsearch to grab the records I need and dump them to a file. Open in vim, and a few regular expression replaces later and I can pull the file back in with all the changes done in a few minutes. I haven't found a good schema editing tool yet. I keep my schema file in a cvs repo so I can track all the changes, and make sure I run slapd -tT before restarting the ldap server. I've found out the hard way that pam/nss don't like their user/group database disappearing. On that note, if you plan on doing any ssl/tls for the ldap connection, I would recommend having a mirrored server with different certs that expire on different days (or preferably years). Since you're doing this for home/personal use, you can just make your own CA rather than paying for one. Hope all that helps. Chris