Hello everyone,
In our (non-profit, research) organization we are already using OpenLDAP for many years, storing people data and dns records (LDAP-based DNS server).
We are now looking into how we could organize our LDAP DIT in order to store device data (descriptions, MAC addresses, IP Addresses).
The idea is to be able to use the DIT for combined and/or independent user- and device- based authentication throughout the network (e.g. using TACACS, Radius pulling data from LDAP DIT or elsewhere).
Currently we are storing data about devices (IP and MAC) Addresses using phpIPAM and NetDisco open source software, so data is stored in relational databases (postgresql on NetDisco, MySQL on phpIPAM), yet network-related data is not directly (i.e. integrated in db schemas) associated to users (except in descriptions).
In phpIPAM we are organizing our IP Spaces (public and private). NetDisco uses SNMP to scan the network and automatically associate end-devices ("nodes") to switches ("devices") and MAC addresses to IP addresses.
We are currently investigating whether we should:
1. Store device data in the DIT as part of user records. Thus, each user entry would also include info about the devices the user is responsible for, most importantly IP Addresses assigned to them and MAC addresses. Is this approach considered sane? If so, which Object Class(es) would serve this need?
2. Store data in a separate branch, for example:
dn: cn=devicexxx,ou=Nodes,dc=example,dc=com
objectClass: device objectClass: ieee802Device objectClass: radiusprofile objectClass: simpleSecurityObject objectClass: top cn: devicexxx description: Main Server at Net Lab l: Main Campus macAddress: 00:24:8c:3c:xx:xx ou: tech owner: cn=TechAdmins,ou=Groups,dc=example,dc=com radiusArapSecurity: 195.xxx.xxx.1 radiusArapZoneAccess: 255.255.255.128 radiusFramedIPAddress: 195.xxx.xxx.63 radiusHint: 50004 radiusNASIpAddress: 195.xxx.xxx.125 radiusTerminationAction: 33 radiusTunnelMediumType: IEEE-802 radiusTunnelPrivateGroupId: 1 radiusTunnelType: VLAN userPassword:: ****************
We have successfully tried this approach using FreeRadius and Cisco 2960 switches but I didn't find this solution ideal/intuitive, especially because devices are totally dis-associated from users.
It seems to be more natural to authenticate users based on their personal (ldap-based) credentials and devices based on their MAC addresses alone.
But of course, I may be wrong...
3. Use an non-LDAP store, e.g. MySQL.
I would be grateful to people here who have already dealt with this issue and would be eager to share their experience.
Any reference(s) to relevant documents regarding the above will be valuable too!
Thanks in advance.
Cheers, Nick