1 |
heya, |
2 |
|
3 |
On Wednesday 15 June 2005 19:16, Kenny Mann wrote: |
4 |
> I'm planning on implementing LDAP (just to play -- I've done the same in |
5 |
> MySQL already) |
6 |
> I'd like to do virtual hosting, which would involve Apache and Postfix. |
7 |
> For now, I'm researching the Postfix stuff. |
8 |
> I have 'Deploying OpenLDAP by Tom Jackiewicz' and an O'Reilly one as well, |
9 |
> but they don't explain it in enough detai lthat I understand it. |
10 |
> I'm thinking I need to make the top container an organization and add |
11 |
> domains below that, but not 100% certain of how. |
12 |
> The question I have is can someone point me a direction as to where I can |
13 |
> learn the structure and meanings of the dc, ou, etc so I can figure out the |
14 |
> layout of the DIT? |
15 |
|
16 |
I currently have the following setup: |
17 |
postfix - uses ldap for authentication with smtp-auth and mail routing. |
18 |
cyrus - postfix backends into it, uses ldap for authentication |
19 |
apache - uses ldap for authentication |
20 |
pam - uses ldap for authentication |
21 |
and so on, basically every single service in my network uses ldap for |
22 |
authentication. As you rightly point out structuring the DIT is the key. |
23 |
Unfortunately in my experience there arn't too many books that are actually |
24 |
useful for designing the DIT itself, although they are very handy for |
25 |
actually understanding how LDAP works. My suggestion is to hang in #ldap on |
26 |
freenode and ask people there but fwiw here is how I do it. |
27 |
|
28 |
Basically I see two main ways of implementing DITs, either you have lots of |
29 |
"groups" that you make people members of and then you filter based on group |
30 |
membership OR you have users that have lots of different attributes and you |
31 |
filter on attributes. Personally I prefer the group based setup as it means |
32 |
that to find who can access something I can just check a group (less onerous |
33 |
on the LDAP server as I don't have to traverse the entire DIT) but YMMV. In |
34 |
effect my DIT looks like this: |
35 |
|
36 |
ou=group,dc=disciplina,dc=net |
37 |
in here I have actual groups like cn=webmail and I make all people I want to |
38 |
have access to webmail a member of this group. |
39 |
|
40 |
ou=people,dc=disciplina,dc=net |
41 |
in here I have normal users. Generally speaking I try NOT to give users |
42 |
authorization attributes, instead I just use these for authentication, ie did |
43 |
they get the password correct. |
44 |
|
45 |
ou=hosts,dc=disciplina,dc=net |
46 |
in here I create an entry for each of my machines and have pam check |
47 |
membership of a machine to see if someone is allowed to ssh into the machine |
48 |
|
49 |
ou=services,dc=disciplina,dc=net |
50 |
in here I have a top level entry for each of the services that I use, eg |
51 |
ou=postfix,ou=services,dc=disciplina,dc=net |
52 |
Under this part of the dit I then have the superior zones eg: |
53 |
dc=net,ou=postfix,ou=services,dc=disciplina,dc=net |
54 |
net is a object class dNSDomain and then I have each of the domains (that end |
55 |
in .net) associated in here and this is what postfix looks up against for the |
56 |
actual mail routing to determine where to send things for a given domain |
57 |
(assuming that I host it). |
58 |
|
59 |
I have some other entries but those are the main one relevant to your question |
60 |
I think. |
61 |
|
62 |
b |
63 |
|
64 |
-- |
65 |
Benjamin Smee (strerror) |
66 |
497F 5E98 1FA0 C313 EA0B 08C7 004A 66ED 448B E78C |