openldap install questions
by Washington, Andrea
I recently installed version openldap-2.4.23 on one of our Degreeworks servers as root. During the ./configure piece, I had to disable slapd because it complained about a BDB database. Every installation step after the configure piece, completed without a problem. I am uncertain how openldap is being utilized by the Degreeworks software but I think something may be wrong with the setup or configuration files. Did slapd need to be installed and what do I do about the BDB issue. I am trying to get single sign-on via Luminis to Degreeworks. The logins for luminis and degreeworks are not the same. Any help would be appreciated on setting up openldap to work properly with Degreeworks.
Thanks in advance for your time.
Andrea Washington
12 years, 1 month
Re: Assigning Groups to LDAP users
by pradyumna dash
Hi,
I have create 2 groups and modified the ldap.conf file in the client as
below
nss_base_passwd ou=people,dc=example,dc=com?one
nss_base_shadow ou=people,dc=example,dc=com?one
nss_base_group ou=Group,dc=example,dc=com?one
>From the client when i run getent i can see my groups and users, but when i
login to a user and try id it shows me the primary group not the secondary
groups i have added.
I am using SLES 11 SP1.
Regards,
Pradyumna
2011/8/15 Dmitriy Kirhlarov <dimma(a)higis.ru>
> please, keep a list address in the Cc.
>
> WNBR
>
>
> On 08/14/2011 04:20 PM, pradyumna dash wrote:
>
>> Thank you so much.
>>
>> I will try it this week and get back to you in case of any issues.
>>
>> Thanks for your time.
>>
>> Regards,
>> Pradyumna
>>
>> 2011/8/14 Dmitriy Kirhlarov <dimma(a)higis.ru <mailto:dimma@higis.ru>>
>>
>>
>>
>>
>> On 08/14/2011 03:18 PM, pradyumna dash wrote:
>>
>> Hi,
>>
>> Thank you so much. I have never worked a lot on nss_ldap so
>> asking some
>> basic questions.
>>
>> As per you said you guys are running the same in your env.
>>
>> ldap:
>> personals user groups:
>> ou=groups,o=company
>> first project groups:
>> cn=group1,ou=project1,o=____**company
>> cn=group2,ou=project1,o=____**company
>>
>> -- Do i need to create separate OU's for different groups?
>>
>>
>> Up to you.
>>
>> You need some "separator" between projects. It can be branch in the
>> tree, or scope "base" in filter configuration from nss_ldap.conf file.
>>
>> We are prefer branches. It's more readable, when you have many
>> groups and many projects.
>>
>>
>> second project groups:
>> cn=group1,ou=project2,o=____**company
>> cn=group2,ou=project2,o=____**company
>> -- How i can specify the users who are a part of which group?
>>
>>
>> cn=group1,ou=project1,o=__**company
>> objectClass: posixGroup
>> cn: group1
>> gidNumber: 1000
>> description: project1 admin group
>> memberUid: user1
>> memberUid: user2
>> memberUid: user3
>>
>>
>> "Server1" nss_ldap.conf:
>> nss_base_group ou=groups,o=company?sub
>> nss_base_group ou=project1,o=company?one
>> --The syntax in the conf file will be like above ?? Because i
>> have never
>> used ?sub and ?one
>>
>>
>> It's URI (http://en.wikipedia.org/wiki/**__URI_scheme<http://en.wikipedia.org/wiki/__URI_scheme>
>> <http://en.wikipedia.org/wiki/**URI_scheme<http://en.wikipedia.org/wiki/URI_scheme>>)
>> syntax.
>> You should to write second part of URI (after connection
>> description) with base, scope and filter.
>>
>>
>> "Server2" nss_ldap.conf:
>> nss_base_group ou=groups,o=company?sub
>> nss_base_group ou=project2,o=company?one
>>
>> Also if you can help, am trying "pwdReset" for my ldap users, in
>> the
>> ppolicy.schema file i have uncommented this attribute but not
>> able to
>> load the schema, if you can give me some pointers would be
>> appreciated.
>> What i want is when firsttime any user logs in he will asked
>> to change
>> his password.
>>
>>
>> 1. try to start slapd with "-d config"
>> 2. take a look to
>> http://www.zytrax.com/books/__**ldap/ch6/ppolicy.html<http://www.zytrax.com/books/__ldap/ch6/ppolicy.html>
>> <http://www.zytrax.com/books/**ldap/ch6/ppolicy.html<http://www.zytrax.com/books/ldap/ch6/ppolicy.html>
>> >
>>
>> WBR
>>
>>
>> Regards,
>> Neo
>>
>> I am not a expert in OpenLDAP so please help me.
>> 2011/8/14 Dmitriy Kirhlarov <dimma(a)higis.ru
>> <mailto:dimma@higis.ru> <mailto:dimma@higis.ru
>>
>> <mailto:dimma@higis.ru>>>
>>
>>
>> Hi.
>>
>>
>> On 08/12/2011 07:40 PM, Buchan Milne wrote:
>>
>> On Wednesday, 10 August 2011 10:11:17 pradyumna dash wrote:
>>
>> Guys,
>>
>> I have a query, lets take a scenario :
>>
>> Assume we have 2 servers "Server1" and "Server2" and 2
>> groups "Admin" and
>> "ITTech", What is needed is like say when a user "bob" logging
>> in to "Server1" he will get the group "Admin", but
>> when he
>> logs in to
>> "Server2" he will get group "ITTech". Also it may vary for
>> different users
>> like when "Kris" logs in to Server1 he may get a group
>> called "ITTech" and
>> when he logs in to "Server2" he will get some other
>> group
>> say "Security".
>> Can it be possible by OpenLDAP ?
>>
>>
>> IMHO, this is a bad idea. It will specifically be
>> problematic if
>> you have any
>> files shared/replicated/backed up between servers (e.g.
>> via NFS).
>>
>>
>> We are using this functionality without any problems. :)
>> This is feature of nss_ldap.
>>
>> ldap:
>> personals user groups:
>> ou=groups,o=company
>>
>> first project groups:
>> cn=group1,ou=project1,o=____**company
>> cn=group2,ou=project1,o=____**company
>>
>> second project groups:
>> cn=group1,ou=project2,o=____**company
>> cn=group2,ou=project2,o=____**company
>>
>> "Server1" nss_ldap.conf:
>> nss_base_group ou=groups,o=company?sub
>> nss_base_group ou=project1,o=company?one
>>
>> "Server2" nss_ldap.conf:
>> nss_base_group ou=groups,o=company?sub
>> nss_base_group ou=project2,o=company?one
>>
>>
>> WBR
>>
>>
>> If this is achieved then we are planning
>> to have SUDO files based on the grooups.
>>
>>
>> It would be much more effective to have your sudo rules
>> in LDAP,
>> and apply a
>> rule to a set of users/groups to a collection/netgroup
>> of hosts.
>>
>> Regards,
>> Buchan
>>
>>
>>
>>
>>
12 years, 1 month
Kudos to OpenLDAP developers
by Brent Bice
After skimming my OpenLDAP email and seeing a few snide comments
about OpenLDAP and/or documentation, I felt compelled to post a
thank-you to all the folks working on OpenLDAP.
Our LDAP needs have been uber-simple until recently but OpenLDAP has
been rock solid and just worked without complaint, failures, or
replication problems.
I recently had to setup a fancier set of LDAP servers for doing
authentication/authorization for giant clusters of servers, so for the
first time I found myself needing other overlays like accesslog and
ppolicy and although I had to spend a bit of time RTFM'ing (oh no, not
that! - grin) I found them like my previous experience with OpenLDAP -
they just worked.
And other than needing to start slapd with a larger max number of
File descriptors to handle thousands of clients all suddenly connecting
and doing queries simultaneously (slaps forehead - I shoulda expected
this), we've had no problems.
So to everyone who's spent late nights 'n weekends digging through
the source code looking for bugs, or adding new overlays, thanks. It's
appreciated...
Brent
12 years, 1 month
provider crash on high replication load
by Marc Patermann
Hi,
I have the following problem:
On a sycrepl provider I have lots (100+) consumers in refresh and
persist mode.
After upgrading the provider from 2.3.x to 2.4.25 I can crash the server
by a single mod on the root object of one database.
Aug 15 14:18:37 trzs721boot kernel: [544888.798212] slapd[2861]:
segfault at 0 ip 00007fbf89494522 sp 00007fbe8cfa7ca0 error 4 in
slapd[7fbf8942c000+1b6000]
I reproduced this on a test system, even with 2.4.26. The consumer are
ldapsearch clients like this "-E!sync=rp/rid=xxx,csn= * +" on a single
2.4.25 machine. All SLES 11 SP1 64bit.
Here is the gbd output.
http://pastebin.com/6y83ZjqX
I tried to create a core dump, but I could not get it work.
I used this howto. The "top" example works, I get a core file for user
ldap. With slapd it is not.
Why does slapd crash here?
Marc
12 years, 1 month
replication
by rocke.robertson@pch.gc.ca
Good morning list
I am having no end of problems trying to setup a delta synchronized
replication. One consumer and one provider.
Symptoms are as follows:
User can authenticate and login using provider. If user changes password,
new password does not get replicated to consumer. If password has not
changed the user can authenticate and login using the consumer.
Provider configuration is as follows:
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/ppolicy.schema
### added for host_attr access, this scheme gives me a host object for
wrappers
include /usr/share/doc/nss_ldap-253/ldapns.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2 bind_anon_cred
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 256
logfile /var/log/slapd.log
# Load dynamic backend modules using this path!!!
modulepath /usr/lib/openldap
moduleload ppolicy.la
moduleload accesslog.la
schemacheck on
lastmod on
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
##NOPE access to * by * write
# ------------------------------------------------------------------- #
# Access log database instance for replication
# ------------------------------------------------------------------- #
# Accesslog database definitions
database bdb
suffix cn=accesslog
directory /var/lib/db/accesslog
rootdn cn=accesslog
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
# Let the replica DN have limitless searches
limits dn.exact="uid=replicator,ou=people,dc=chin,dc=ca"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
# ------------------------------------------------------------------- #
# Primary database instance
# ------------------------------------------------------------------- #
database bdb
suffix "dc=chin,dc=ca"
rootdn "cn=admin, dc=chin,dc=ca"
# rootpw
rootpw {SSHA}xxxyyyzzzz
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
index entryCSN,entryUUID eq
# define the default policy
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=chin,dc=ca"
ppolicy_use_lockout
# syncrepl Provider for primary db
overlay syncprov
syncprov-checkpoint 1000 60
# accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
logpurge 07+00:00 01+00:00
# Let the replica DN have limitless searches
limits dn.exact="uid=replicator,ou=people,dc=chin,dc=ca"
time.soft=unlimited time.hard=unlimited size.soft=unlimited
size.hard=unlimited
The consumer configuration is as follows:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/ppolicy.schema
### added for host_attr access, this scheme gives me a host object for
wrappers
include /usr/share/doc/nss_ldap-253/ldapns.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2 bind_anon_cred
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 256
#loglevel -1
#loglevel 16384
logfile /var/log/slapd.log
modulepath /usr/lib/openldap
# ------------------------------------------------------------------- #
# Primary database instance
# ------------------------------------------------------------------- #
database bdb
suffix "dc=chin,dc=ca"
rootdn "cn=admin,dc=chin,dc=ca"
directory /var/lib/ldap
# ------------------------------------------------------------------- #
# Replica configuration instance
# ------------------------------------------------------------------- #
# syncrepl specific indices
index entryUUID eq
# syncrepl directives
syncrepl rid=0
provider=ldap://ldap
bindmethod=simple
binddn="uid=replicator,ou=people,dc=chin,dc=ca"
#binddn="cn=admin,dc=chin,dc=ca"
credentials=xyzyzzz
searchbase="dc=chin,dc=ca"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
schemachecking=on
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
# Refer updates to the master
updateref ldap://ldap
Error messages on the consumer is:
Aug 15 09:28:08 stgvir009 slapd[31110]: do_syncrepl: rid 000 retrying
Aug 15 09:29:09 stgvir009 slapd[31110]: syncrepl_message_to_entry: rid 000
mods check (pwdAttribute: value #0 invalid per syntax)
Aug 15 09:29:09 stgvir009 slapd[31110]: do_syncrepl: rid 000 retrying
Which looks like it is missing a schema. But I can't find a schema that is
missing.
Log messages on provider showing replicator account activity.
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 fd=17 ACCEPT from
IP=172.16.50.40:45510 (IP=0.0.0.0:389)
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 BIND
dn="uid=replicator,ou=people,dc=chin,dc=ca" method=128
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 BIND
dn="uid=Replicator,ou=People,dc=chin,dc=ca" mech=SIMPLE ssf=0
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=0 RESULT tag=97 err=0
text=
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=1 SRCH
base="dc=chin,dc=ca" scope=2 deref=0 filter="(objectClass=*)"
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 op=1 SRCH attr=* +
Aug 15 09:29:53 provir009 slapd[27606]: send_search_entry: conn 6736 ber
write failed.
Aug 15 09:29:53 provir009 slapd[27606]: conn=6736 fd=17 closed (connection
lost on write)
Aug 15 09:29:53 provir009 slapd[27606]: connection_read(17): no connection!
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 fd=17 ACCEPT from
IP=172.16.50.40:45511 (IP=0.0.0.0:389)
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 BIND
dn="uid=replicator,ou=people,dc=chin,dc=ca" method=128
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 BIND
dn="uid=Replicator,ou=People,dc=chin,dc=ca" mech=SIMPLE ssf=0
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=0 RESULT tag=97 err=0
text=
Aug 15 09:30:54 provir009 slapd[27606]: conn=6737 op=1 SRCH
base="dc=chin,dc=ca" scope=2 deref=0 filter="(objectClass=*)"
I don't know what this means I'm afraid. But intuitively it doesn't look
good.
Any guidance would be astoundingly great. I am new to ldap so this is a bit
of a learning curve.
Many thanks
Rocke Robertson
Gouvernement du Canada | Government of Canada
12 years, 1 month
aliased objects follow across different suffixes on same server?
by Tyler Gates
Hello,
I would like to know if it is possible to have an aliasedobjectname
reference an object that is defined in a different database as a
different suffix on the same server.
I have deref set to always but it doesn't seem to be following the alias
as long as it is not on its own suffix.
Below is an example of what I am trying to do.
suffix1: dc=example,dc=com
dn: cn=entry,dc=example,dc=com
...
suffix2: dc=example,dc=net
dn: cn=entry2,dc=example,dc=net
objectClass: alias
objectClass: extensibleObject
aliasedobjectname: cn=entry,dc=example,dc=com
12 years, 1 month
Re: Assigning Groups to LDAP users
by Dmitriy Kirhlarov
On 08/14/2011 03:18 PM, pradyumna dash wrote:
> Hi,
>
> Thank you so much. I have never worked a lot on nss_ldap so asking some
> basic questions.
>
> As per you said you guys are running the same in your env.
>
> ldap:
> personals user groups:
> ou=groups,o=company
> first project groups:
> cn=group1,ou=project1,o=__company
> cn=group2,ou=project1,o=__company
>
> -- Do i need to create separate OU's for different groups?
Up to you.
You need some "separator" between projects. It can be branch in the
tree, or scope "base" in filter configuration from nss_ldap.conf file.
We are prefer branches. It's more readable, when you have many groups
and many projects.
> second project groups:
> cn=group1,ou=project2,o=__company
> cn=group2,ou=project2,o=__company
> -- How i can specify the users who are a part of which group?
cn=group1,ou=project1,o=company
objectClass: posixGroup
cn: group1
gidNumber: 1000
description: project1 admin group
memberUid: user1
memberUid: user2
memberUid: user3
> "Server1" nss_ldap.conf:
> nss_base_group ou=groups,o=company?sub
> nss_base_group ou=project1,o=company?one
> --The syntax in the conf file will be like above ?? Because i have never
> used ?sub and ?one
It's URI (http://en.wikipedia.org/wiki/URI_scheme) syntax.
You should to write second part of URI (after connection description)
with base, scope and filter.
> "Server2" nss_ldap.conf:
> nss_base_group ou=groups,o=company?sub
> nss_base_group ou=project2,o=company?one
>
> Also if you can help, am trying "pwdReset" for my ldap users, in the
> ppolicy.schema file i have uncommented this attribute but not able to
> load the schema, if you can give me some pointers would be appreciated.
> What i want is when firsttime any user logs in he will asked to change
> his password.
1. try to start slapd with "-d config"
2. take a look to http://www.zytrax.com/books/ldap/ch6/ppolicy.html
WBR
>
> Regards,
> Neo
>
> I am not a expert in OpenLDAP so please help me.
> 2011/8/14 Dmitriy Kirhlarov <dimma(a)higis.ru <mailto:dimma@higis.ru>>
>
> Hi.
>
>
> On 08/12/2011 07:40 PM, Buchan Milne wrote:
>
> On Wednesday, 10 August 2011 10:11:17 pradyumna dash wrote:
>
> Guys,
>
> I have a query, lets take a scenario :
>
> Assume we have 2 servers "Server1" and "Server2" and 2
> groups "Admin" and
> "ITTech", What is needed is like say when a user "bob" logging
> in to "Server1" he will get the group "Admin", but when he
> logs in to
> "Server2" he will get group "ITTech". Also it may vary for
> different users
> like when "Kris" logs in to Server1 he may get a group
> called "ITTech" and
> when he logs in to "Server2" he will get some other group
> say "Security".
> Can it be possible by OpenLDAP ?
>
>
> IMHO, this is a bad idea. It will specifically be problematic if
> you have any
> files shared/replicated/backed up between servers (e.g. via NFS).
>
>
> We are using this functionality without any problems. :)
> This is feature of nss_ldap.
>
> ldap:
> personals user groups:
> ou=groups,o=company
>
> first project groups:
> cn=group1,ou=project1,o=__company
> cn=group2,ou=project1,o=__company
>
> second project groups:
> cn=group1,ou=project2,o=__company
> cn=group2,ou=project2,o=__company
>
> "Server1" nss_ldap.conf:
> nss_base_group ou=groups,o=company?sub
> nss_base_group ou=project1,o=company?one
>
> "Server2" nss_ldap.conf:
> nss_base_group ou=groups,o=company?sub
> nss_base_group ou=project2,o=company?one
>
>
> WBR
>
>
> If this is achieved then we are planning
> to have SUDO files based on the grooups.
>
>
> It would be much more effective to have your sudo rules in LDAP,
> and apply a
> rule to a set of users/groups to a collection/netgroup of hosts.
>
> Regards,
> Buchan
>
>
>
12 years, 1 month
acl confusion in proxy server config
by Ron Peterson
I have a proxy server ('ldap' backend) sitting in front of a master
directory.
The DNs on my master directory are UUIDs + ou + domain, e.g. myid=1234...89,dc=yada,dc=com.
Each object has a (unique) username attrbute.
Logging in on the proxy server involves mapping the username to the DN
rwm-rewriteMap ldap uid2DN "ldaps://server.somewhere.com/ou=something,dc=xyz,dc=com?dn?sub" binddn="uid=..." credentials="xxx"
rwm-rewriteContext bindDN
rwm-rewriteRule "^uid=([a-z0-9_]{3,24}),ou=zzz"
"${uid2DN(myusername=$1)}"
":@I"
I would like anyone logging in as themselves to be able to read their
own attributes. I'm having trouble doing this. 'Self' doesn't seem to
work because of the mapping going on, e.g.
access to dn.sub="ou=vpn"
by self read
by anonymous auth
by * non
Aug 11 11:22:09 mid slapd[5848]: => acl_mask: access to entry "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz", attr "entry" requested
Aug 11 11:22:09 mid slapd[5848]: => acl_mask: to all values by "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com", (read(=rscxd))
Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: self
Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: anonymous
Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: *
Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] applying none(=0) (stop)
Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] mask: none(=0)
Aug 11 11:22:09 mid slapd[5848]: => slap_access_allowed: read access denied by none(=0
I think 'self' doesn't match because
myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz does not equal
myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com
(is my thinking correct on this?)
How do I allow a user to read their own attributes in this situation?
-Ron-
12 years, 1 month
Problem with overlay uniqe
by Ruud Baart
I use slapd 2.4.23 (debian package) with some overlays: syncprov, unique
and valsort. I have a problem with the unique overlay.
This is the unique constraint:
olcUniqueURI: ldap://ou=Workstations,ou=Devices,dc=example,dc=com/?uid?sub
I try to add a ldif like this:
dn: uid=userabc,ou=MozillaAddressBook,ou=Users,dc=example,dc=com
objectClass: person
...
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: ..
...
uid: userabc
...
with ldapadd I get:
ldap_add: Constraint violation (19)
additional info: some attributes not unique
When I remove the unique constraint the ldif file is accepted.
It seems to me that something is wrong: the base of olcUniqueURI is
different from the base where I try to add a entry. I don't understand
this. Is the olcUniqueURI wrong?
--
Regards,
Ruud Baart
12 years, 1 month
Re: Group Members
by Michael Ströder
Cc:-ed openldap-technical(a)openldap.org
criderkevin(a)aol.com wrote:
> Not many users, only about 400-500. I'm thinking just due to our need to
> multiple admins needing access to different apps we may want different
> branches...but them the Users are duplicated but perhaps in an LDAP world
> that's not a no-no. I believe this sort of thing can be controlled by ACL's as
> well?...but 1 branch per App seems to be easiest. (woudl you agree?)
Yes, you should make yourself familiar with ACLs for achieving degelated
administration.
> Also, are there decent free LDAP amin gui interface tools anyone would
> recommend? I've tried a few that Google search has come up with but thought
> I'd ask...
There are several with different focus. You should try out yourself and choose
the one which fits your needs best. Being the author of web2ldap I'm biased
anyway.
Ciao, Michael.
12 years, 1 month