On Mon, Feb 07, 2011 at 08:09:15PM +0100, Pieter Baele wrote:
Each company needs his own pair of multi-master LDAP servers. (for HA) Each LDAP server pair belongs to one of the affiliates and there has to be a 'chinese wall' between those (if possible)
You are effectively running N separate LDAP services here.
But for me and other admins it should be possible to access and manage all servers using the same password and tooling (like puppet with LDAP...)
My idea was some combination of chaining, proxy... (or other overlays). We could use the LDAP server of the mother company as the last part of some chain. The DIT / right structure is also still an issue for me (I'm not an LDAP expert)
You should certainly start by thinking about the DIT structure. If you want to be able to view all the servers at once from your admin tools then the DITs in each must not overlap. Assuming that each company has its own DNS domain, you might start with suffices like this:
hq.mother.co dc=hq,dc=mother,dc=co local.mother.co dc=local,dc=mother,dc=co third.mother.co dc=third,dc=mother,dc=co
It is not essential that each company has its domain under the mother company, but it does make global searches easier.
Under each suffix you would want an identical layout to keep things simple. Maybe divide the subtree like this:
ou=people,dc=hq,dc=mother,dc=co ou=groups,dc=hq,dc=mother,dc=co ou=apps,dc=hq,dc=mother,dc=co
If you really want to have the admins use the same ID and password on every server then you have to do one more thing: create an admin suffix that is replicated across all servers in all the companies:
dc=ldapadmin,dc=mother,dc=co
In that suffix you place the IDs for the admins and also any global groups that you need for access control.
You can then write ACLs giving the admin IDs appropriate control over the company domains. OpenLDAP is flexible enough that you should be able to use an identical set of rules for each server.
To finish the job for the admins, set up a proxy server that either chains or refers to each of the subdomain servers based on the DN. Give it a replicated copy of the admin suffix and set some ACLs to prevent non-admins from using it.
Other nice to haves are some AD integration and kerberos, but this has nothing to do with my question :-)
It might be relevant, depending on just what you mean by 'AD integration'...
Andrew