Hi all,
I am a newbie to LDAP, and have just gotten my first directory server up and running, using openldap.
I have been researching and reading a lot of material for quite a while about schema design and planning, and haven't found much pertaining to what I want to do.
We have 50+ servers, serving thousands of customers. I want to migrate those servers to LDAP authentication and authorization, but have not found the proper design for multiple servers and duplicated users. Most references just do the basic "example.com" example and never expand on it from there. Ultimately, I would like to allow my admins to have a single account across multiple servers (kind of "authorization account merging"), but still allot the schema to be "separate" enough that duplicated usernames on different machines, corresponding to different people, still exist.
Are there any really good references out there that do step-by-step walk throughs of the type of schema designing that I am thinking of? Or is it impossible? Or am I just really making too much of this? :)
Thanks for any insights...
Alex
Alex Moen escreveu:
I have been researching and reading a lot of material for quite a while about schema design and planning, and haven't found much pertaining to what I want to do.
We have 50+ servers, serving thousands of customers. I want to migrate those servers to LDAP authentication and authorization, but have not found the proper design for multiple servers and duplicated users. Most references just do the basic "example.com" example and never expand on it from there. Ultimately, I would like to allow my admins to have a single account across multiple servers (kind of "authorization account merging"), but still allot the schema to be "separate" enough that duplicated usernames on different machines, corresponding to different people, still exist.
Are there any really good references out there that do step-by-step walk throughs of the type of schema designing that I am thinking of? Or is it impossible? Or am I just really making too much of this? :)
You shouldn't concern about schema design, there are already lots of schemas for almost everything on the net, unless you have some very specific need.
When you integrate a server with an LDAP database for authentication - say with nss_ldap for example - you "add" those LDAP accounts to the server. So, you still get your local accounts for each server and plus you have the "global" LDAP accounts too. If you want to migrate those customers local accounts to the LDAP database for centralized management, you'll have to deal with dups.
My knowledge with LDAP is very simple and basic, but perhaps someone has a better idea on how to segment your LDAP tree to deal with dups. For the admin accounts, no big deal, you erase from /etc/passwd on each server and re-create once on the LDAP.
Best regards,
--On Thursday, May 21, 2009 8:26 AM -0500 Alex Moen alexm@ndtel.com wrote:
Hi all,
I am a newbie to LDAP, and have just gotten my first directory server up and running, using openldap.
I have been researching and reading a lot of material for quite a while about schema design and planning, and haven't found much pertaining to what I want to do.
We have 50+ servers, serving thousands of customers. I want to migrate those servers to LDAP authentication and authorization, but have not found the proper design for multiple servers and duplicated users. Most references just do the basic "example.com" example and never expand on it from there. Ultimately, I would like to allow my admins to have a single account across multiple servers (kind of "authorization account merging"), but still allot the schema to be "separate" enough that duplicated usernames on different machines, corresponding to different people, still exist.
Are there any really good references out there that do step-by-step walk throughs of the type of schema designing that I am thinking of? Or is it impossible? Or am I just really making too much of this? :)
Thanks for any insights...
I think you are confusing schema with DIT layout. Personally, I would put all the users in a single tree (cn=accounts,dc=my,dc=domain), and if you need to track what company they work for, put that in an attribute in the account entry. There is no need for duplicate entries that I can see. If you need to restrict access to various servers, set it up so they filter off the company associated with the account.
And, you can always have local accounts in addition to the accounts in LDAP. You generally want this anyhow, for users like root, so you can always get in regardless. But you could also create an "admin" account in the accounts tree, and make it so it can access any server.
The NSS Overlay that's currently in OpenLDAP HEAD would probably work best for all of this. It will hopefully make its appearance in OpenLDAP 2.4.17.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Alex Moen -
Marcio Merlone -
Quanah Gibson-Mount