How to Build a Scalable OpenLDAP‑Based Unified Identity System for Enterprise Operations

Background

When a company grows beyond 50 servers, password management becomes chaotic: forgotten passwords, frequent changes, and mixed root accounts cause operational headaches, prompting the need for a unified identity authentication system.

Initial Requirements

Key demands emerged from real incidents: a single account should access all servers, password changes must propagate instantly, and sudo privileges need fine‑grained control.

Scenario A

New employee receives a uniquely named account with an initial password.

Scenario B

Employee can change the password without exposing it to administrators.

Scenario C‑F

Various permission models ranging from read‑only to full root access are required for different environments.

Implementation Overview

The chosen solution uses OpenLDAP as the core directory, supplemented by PAM for authentication and sudo for privilege escalation.

OpenLDAP Functions

Account information management (user ID, username, password, OU groups, etc.).

Authentication via LDAP client.

PAM Integration

Extends authentication to query the LDAP source in addition to local passwd and shadow files.

Sudo Integration

Privilege escalation via sudo.

Default permissions defined in LDAP; temporary permissions also supported.

Role Classification

Roles are grouped as:

Administrator (root – SA role).

Business (oracle – DBA, service – OPS).

Observer (read_only – R&D).

Personal (LDAP personal accounts).

LDAP objects include users (people), groups (OU), and sudoers groups, linked via gidNumber and cn attributes.

Distributed Management

OpenLDAP supports a master‑slave architecture for multi‑IDC deployments. The master handles password change requests and log replication; slaves serve authentication queries locally. Secure inter‑IDC communication is achieved with IPsec VPN tunnels.

Security Enhancements

TLS encryption is enabled via OpenSSL on both server and client sides. Password‑brute‑force protection is added through the pam_tally.so module, locking accounts after five failed attempts for ten minutes.

auth required pam_tally.so onerr=fail deny=5 unlock_time=600

Decoupling and Performance Optimizations

High‑frequency services can bypass LDAP for privileged accounts by configuring nss_initgroups_ignoreusers, reducing LDAP query load and restoring performance.

Host‑Based Access Restrictions

OpenLDAP can enforce host restrictions by adding a host attribute to user entries and enabling pam_check_host_attr on clients, ensuring users can only log in from authorized machines.

/etc/ldap/schema/ldapns.schema

host:HostName

pam_check_host_attr

pam_filter

nss_base_<map>

Final Module Breakdown

Account Management

Centralized user and password storage.

Role‑based sudo permissions.

Architecture

Authentication delegated to LDAP servers.

Master‑slave synchronization for multi‑IDC.

Service decoupling to reduce LDAP load.

Security

TLS‑encrypted communication.

Login host restrictions.

Brute‑force protection.

Privilege escalation via sudo only after LDAP login.