DefaultLDAPDITForUserGroupMgmt
|
Size: 2277
Comment:
|
Size: 4079
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from EasyLDAPServerHardy | |
| Line 32: | Line 33: |
| Line 37: | Line 39: |
| * dn: dc=example,dc=com * dn: cn=accounts * dn: cn=users * dn: cn=groups |
* dc=example,dc=com * ou=People * uid=login * ou=Groups * cn=groupname |
| Line 43: | Line 46: |
| Line 52: | Line 53: |
| Installation of the necessary schemas should be done with the new configuration api available in openldap 2.4. Editing the slapd configuration shouldn't be needed. * '''Daengbo''': eBox already has a working LDAP server with integration. Can we simply make LDAP accessible remotely by default? That would solve a lot of the issues. |
|
| Line 56: | Line 61: |
| * inetOrgPerson * posixAccount |
* inetOrgPerson ([http://www.rfc-editor.org/rfc/rfc2798.txt RFC 2798]) * posixAccount ([http://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307]) * sambaSamAccount (samba) |
| Line 60: | Line 66: |
| * posixGroup | * posixGroup ([http://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307]) * groupOfUniqueNames ([http://www.rfc-editor.org/rfc/rfc4519.txt RFC 4519]) * sambaGroupMapping(Samba) |
| Line 70: | Line 78: |
| === Directory server === * Is groupOfUniqueNames really needed ? Both posixGroup and groupOfUniqueNames are defined as structural classes, which isn't allowed by openldap. == Launchpad Blueprint Discrepancy == What LDAP server will this project use? The blueprint states "LDAP server - OpenLDAP or Fedora" while this page appears to only list OpenLDAP. OpenLDAP does not have the [http://www.linuxjournal.com/article/9517 redundancy] and [http://www.oreillynet.com/sysadmin/blog/2006/07/a_new_favorite_fedora_director.html ease-of-use] features of Fedora Directory Server (FDS). While you can configure OpenLDAP to do anything while on anything, this is a disadvantage as documentation is full of provisos and asides due to the wildly different back ends and configurations. In the vast majority of schools and businesses the only advantage of OpenLDAP -- speed -- is a trivial when compared to the benefits of FDS: ease of use and the clear documentation. The FDS GUI could be packaged separately to assuage size & dependency concerns. '''Please choose wisely and make the pages agree.''' |
Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.
Launchpad Entry: identity-management
Packages affected:
Summary
The spec describes a basic LDAP directory service for Ubuntu.
Release Note
Rationale
Installing the default openldap package requires a lot of manual steps to get a complete directory infrastructure up and running. Setting up the directory structure requires knowledge about schemas and ldap trees.
Use Cases
- Andrew installs an ldap server on ubuntu. After answering basic questions during the installation of the package, he can manage users and groups with the standard system utils (adduser, addgroup) and setup other clients in his network to authenticate against his new ldap directory.
Assumptions
Design
Installation
A new task in tasksel will be provided. It will install all the relevant packages (server and administration tools). Configuration and integration of the different services will also be provided by the task.
Directory server
A default layout suitable for user and group management in a unix environment will be provided:
DIT layout
- dc=example,dc=com
- ou=People
- uid=login
- ou=Groups
- cn=groupname
- ou=People
User/group management tools
Implementation
Installation
The user will be prompted for the base dn, the administrator password. The task will then populate a default DIT in the ldap server. The administration tools will be configured to use the local ldap server by default.
Installation of the necessary schemas should be done with the new configuration api available in openldap 2.4. Editing the slapd configuration shouldn't be needed.
Daengbo: eBox already has a working LDAP server with integration. Can we simply make LDAP accessible remotely by default? That would solve a lot of the issues.
Directory server
Openldap 2.4 will be used as the ldap server.
Users will be defined with the following classes:
inetOrgPerson ([http://www.rfc-editor.org/rfc/rfc2798.txt RFC 2798])
posixAccount ([http://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307])
- sambaSamAccount (samba)
Groups will be defined with the following classes:
posixGroup ([http://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307])
groupOfUniqueNames ([http://www.rfc-editor.org/rfc/rfc4519.txt RFC 4519])
- sambaGroupMapping(Samba)
Migration
Test/Demo Plan
Outstanding Issues
Directory server
- Is groupOfUniqueNames really needed ? Both posixGroup and groupOfUniqueNames are defined as structural classes, which isn't allowed by openldap.
Launchpad Blueprint Discrepancy
What LDAP server will this project use? The blueprint states "LDAP server - OpenLDAP or Fedora" while this page appears to only list OpenLDAP.
OpenLDAP does not have the [http://www.linuxjournal.com/article/9517 redundancy] and [http://www.oreillynet.com/sysadmin/blog/2006/07/a_new_favorite_fedora_director.html ease-of-use] features of Fedora Directory Server (FDS). While you can configure OpenLDAP to do anything while on anything, this is a disadvantage as documentation is full of provisos and asides due to the wildly different back ends and configurations.
In the vast majority of schools and businesses the only advantage of OpenLDAP -- speed -- is a trivial when compared to the benefits of FDS: ease of use and the clear documentation. The FDS GUI could be packaged separately to assuage size & dependency concerns.
Please choose wisely and make the pages agree.
BoF agenda and discussion
DefaultLDAPDITForUserGroupMgmt (last edited 2008-08-06 16:15:55 by localhost)