--On Thursday, May 21, 2009 8:26 AM -0500 Alex Moen <alexm(a)ndtel.com> wrote:
I am a newbie to LDAP, and have just gotten my first directory server up
and running, using openldap.
I have been researching and reading a lot of material for quite a while
about schema design and planning, and haven't found much pertaining to
what I want to do.
We have 50+ servers, serving thousands of customers. I want to migrate
those servers to LDAP authentication and authorization, but have not
found the proper design for multiple servers and duplicated users. Most
references just do the basic "example.com" example and never expand on it
from there. Ultimately, I would like to allow my admins to have a single
account across multiple servers (kind of "authorization account
merging"), but still allot the schema to be "separate" enough that
duplicated usernames on different machines, corresponding to different
people, still exist.
Are there any really good references out there that do step-by-step walk
throughs of the type of schema designing that I am thinking of? Or is it
impossible? Or am I just really making too much of this? :)
Thanks for any insights...
I think you are confusing schema with DIT layout. Personally, I would put
all the users in a single tree (cn=accounts,dc=my,dc=domain), and if you
need to track what company they work for, put that in an attribute in the
account entry. There is no need for duplicate entries that I can see. If
you need to restrict access to various servers, set it up so they filter
off the company associated with the account.
And, you can always have local accounts in addition to the accounts in
LDAP. You generally want this anyhow, for users like root, so you can
always get in regardless. But you could also create an "admin" account in
the accounts tree, and make it so it can access any server.
The NSS Overlay that's currently in OpenLDAP HEAD would probably work best
for all of this. It will hopefully make its appearance in OpenLDAP 2.4.17.
Principal Software Engineer
Zimbra :: the leader in open source messaging and collaboration