| 1 |
heya, |
| 2 |
|
| 3 |
On Wednesday 15 June 2005 19:16, Kenny Mann wrote: |
| 4 |
> I'm planning on implementing LDAP (just to play -- I've done the same in |
| 5 |
> MySQL already) |
| 6 |
> I'd like to do virtual hosting, which would involve Apache and Postfix. |
| 7 |
> For now, I'm researching the Postfix stuff. |
| 8 |
> I have 'Deploying OpenLDAP by Tom Jackiewicz' and an O'Reilly one as well, |
| 9 |
> but they don't explain it in enough detai lthat I understand it. |
| 10 |
> I'm thinking I need to make the top container an organization and add |
| 11 |
> domains below that, but not 100% certain of how. |
| 12 |
> The question I have is can someone point me a direction as to where I can |
| 13 |
> learn the structure and meanings of the dc, ou, etc so I can figure out the |
| 14 |
> layout of the DIT? |
| 15 |
|
| 16 |
I currently have the following setup: |
| 17 |
postfix - uses ldap for authentication with smtp-auth and mail routing. |
| 18 |
cyrus - postfix backends into it, uses ldap for authentication |
| 19 |
apache - uses ldap for authentication |
| 20 |
pam - uses ldap for authentication |
| 21 |
and so on, basically every single service in my network uses ldap for |
| 22 |
authentication. As you rightly point out structuring the DIT is the key. |
| 23 |
Unfortunately in my experience there arn't too many books that are actually |
| 24 |
useful for designing the DIT itself, although they are very handy for |
| 25 |
actually understanding how LDAP works. My suggestion is to hang in #ldap on |
| 26 |
freenode and ask people there but fwiw here is how I do it. |
| 27 |
|
| 28 |
Basically I see two main ways of implementing DITs, either you have lots of |
| 29 |
"groups" that you make people members of and then you filter based on group |
| 30 |
membership OR you have users that have lots of different attributes and you |
| 31 |
filter on attributes. Personally I prefer the group based setup as it means |
| 32 |
that to find who can access something I can just check a group (less onerous |
| 33 |
on the LDAP server as I don't have to traverse the entire DIT) but YMMV. In |
| 34 |
effect my DIT looks like this: |
| 35 |
|
| 36 |
ou=group,dc=disciplina,dc=net |
| 37 |
in here I have actual groups like cn=webmail and I make all people I want to |
| 38 |
have access to webmail a member of this group. |
| 39 |
|
| 40 |
ou=people,dc=disciplina,dc=net |
| 41 |
in here I have normal users. Generally speaking I try NOT to give users |
| 42 |
authorization attributes, instead I just use these for authentication, ie did |
| 43 |
they get the password correct. |
| 44 |
|
| 45 |
ou=hosts,dc=disciplina,dc=net |
| 46 |
in here I create an entry for each of my machines and have pam check |
| 47 |
membership of a machine to see if someone is allowed to ssh into the machine |
| 48 |
|
| 49 |
ou=services,dc=disciplina,dc=net |
| 50 |
in here I have a top level entry for each of the services that I use, eg |
| 51 |
ou=postfix,ou=services,dc=disciplina,dc=net |
| 52 |
Under this part of the dit I then have the superior zones eg: |
| 53 |
dc=net,ou=postfix,ou=services,dc=disciplina,dc=net |
| 54 |
net is a object class dNSDomain and then I have each of the domains (that end |
| 55 |
in .net) associated in here and this is what postfix looks up against for the |
| 56 |
actual mail routing to determine where to send things for a given domain |
| 57 |
(assuming that I host it). |
| 58 |
|
| 59 |
I have some other entries but those are the main one relevant to your question |
| 60 |
I think. |
| 61 |
|
| 62 |
b |
| 63 |
|
| 64 |
-- |
| 65 |
Benjamin Smee (strerror) |
| 66 |
497F 5E98 1FA0 C313 EA0B 08C7 004A 66ED 448B E78C |
Archives