Difference between revisions of "LDAP Ramblings"
| Line 1: | Line 1: | ||
==Intro== | ==Intro== | ||
| − | On the IAC's user accessable Linux servers (Brems, web, Inca) there is a need for centralized user authentication. With the addition of email | + | On the IAC's user accessable Linux servers (Brems, web, Inca, backup) there is a need for centralized user authentication. With the addition of email users this need becomes critical. The proposed solution is to use OpenLDAP replicated across the mail servers for redundancy. |
==Clients== | ==Clients== | ||
| Line 15: | Line 15: | ||
==LDAP Schema== | ==LDAP Schema== | ||
| − | + | basedn = "cn=Auth,dc=iac,dc=isu,dc=edu" | |
==Replication== | ==Replication== | ||
| Line 28: | Line 28: | ||
====Websites==== | ====Websites==== | ||
*[http://www.openldap.org/ OpenLDAP] | *[http://www.openldap.org/ OpenLDAP] | ||
| − | *[http://www.linuxjournal.com/article/5505 LinuxJournal | + | *[http://www.faqs.org/docs/Linux-HOWTO/LDAP-HOWTO.html Linux LDAP Howto] |
| + | *[http://www.linuxjournal.com/article/5505 LinuxJournal - Highly Available LDAP] | ||
| + | *[http://www-uxsup.csx.cam.ac.uk/pub/doc/suse/suse9.3/suselinux-adminguide_en/cha.ldap.html SUSE LDAP docs] | ||
Revision as of 07:43, 8 January 2008
Intro
On the IAC's user accessable Linux servers (Brems, web, Inca, backup) there is a need for centralized user authentication. With the addition of email users this need becomes critical. The proposed solution is to use OpenLDAP replicated across the mail servers for redundancy.
Clients
Linux Clients
Administrative users will retain entries in the local /etc/passwd and /etc/shadow files for troubleshooting access. All other users will exist in LDAP and will have individual server permissions.
Email Clients
Ideally email users can be accommodated without having local accounts. If this is not possible, the local shell can be set to disallow logins for security purposes.
Windows Clients
Currently not planned, but possible once the setup has been proven. This would allow users to log into any machine using their username and login. Only a select few machines (data aquisition etc.) would retain generic iacuser access.
LDAP Schema
basedn = "cn=Auth,dc=iac,dc=isu,dc=edu"
Replication
- Requires ntp time syncronization between replication servers.