Difference between revisions of "LDAP Ramblings"

From New IAC Wiki
Jump to navigation Jump to search
Line 15: Line 15:
 
==LDAP Schema==
 
==LDAP Schema==
 
====Debian LDAP VM====
 
====Debian LDAP VM====
Distinguished name of the search base:"dc=iac,dc=isu,dc=edu"
+
*Distinguished name of the search base:"dc=iac,dc=isu,dc=edu"
LDAP version 3
+
*LDAP version 3
Priviledged account for libpam/libnss ldap: "cn=admin,dc=iac,dc=isu,dc=edu"
+
*Priviledged account for libpam/libnss ldap: "cn=admin,dc=iac,dc=isu,dc=edu"
*Need to modify /etc/nsswitch.conf to use the "ldap" datasource.  Example file /usr/share/doc/libnss-ldap/examples/nsswitch.ldap
+
**Need to modify /etc/nsswitch.conf to use the "ldap" datasource.  Example file /usr/share/doc/libnss-ldap/examples/nsswitch.ldap
  
  
 
====SUSE Test====
 
====SUSE Test====
Base DN: dc=iac, dc=isu, dc=edu
+
*Base DN: dc=iac, dc=isu, dc=edu
Root DN: cn=Administrator, Append Base DN=true
+
*Root DN: cn=Administrator, Append Base DN=true
Default Policy Object DN: cn=Default Password Policy, Append Base DN=true
+
*Default Policy Object DN: cn=Default Password Policy, Append Base DN=true
 
The rest of the schema was set up by the SUSE tools
 
The rest of the schema was set up by the SUSE tools
  

Revision as of 19:36, 9 January 2008

Intro

On the IAC's user accessable Linux servers (Brems, web, Inca, backup) there is a need for centralized user authentication. With the addition of email users this need becomes critical. The proposed solution is to use OpenLDAP replicated across the mail servers for redundancy.

Clients

Linux Clients

Administrative users will retain entries in the local /etc/passwd and /etc/shadow files for troubleshooting access. All other users will exist in LDAP and will have individual server permissions.

Email Clients

Ideally email users can be accommodated without having local accounts. If this is not possible, the local shell can be set to disallow logins for security purposes.

Windows Clients

Currently not planned, but possible once the setup has been proven. This would allow users to log into any machine using their username and login. Only a select few machines (data aquisition etc.) would retain generic iacuser access.

LDAP Schema

Debian LDAP VM

  • Distinguished name of the search base:"dc=iac,dc=isu,dc=edu"
  • LDAP version 3
  • Priviledged account for libpam/libnss ldap: "cn=admin,dc=iac,dc=isu,dc=edu"
    • Need to modify /etc/nsswitch.conf to use the "ldap" datasource. Example file /usr/share/doc/libnss-ldap/examples/nsswitch.ldap


SUSE Test

  • Base DN: dc=iac, dc=isu, dc=edu
  • Root DN: cn=Administrator, Append Base DN=true
  • Default Policy Object DN: cn=Default Password Policy, Append Base DN=true

The rest of the schema was set up by the SUSE tools

Replication

  • Requires ntp time syncronization between replication servers.


Resources

Books

Websites