DefaultLDAPDITForUserGroupMgmt

Differences between revisions 11 and 18 (spanning 7 versions)
Revision 11 as of 2008-06-02 22:42:31
Size: 4079
Editor: dsl-216-254-165-243
Comment:
Revision 18 as of 2008-08-06 16:15:55
Size: 4258
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 6: Line 6:
 * '''Launchpad Entry''': UbuntuSpec:identity-management  * '''Launchpad Entry''': UbuntuSpec:ldap-defaultdit-usergrp-mgmt
Line 11: Line 11:
The spec describes a basic LDAP directory service for Ubuntu. The spec describes a default LDAP DIT to manage Users and Groups using an Ubuntu Server.
Line 17: Line 17:
Installing the default openldap package requires a lot of manual steps to get a complete directory infrastructure up and running. Setting up the directory structure requires knowledge about schemas and ldap trees. Installing the default openldap package requires a lot of manual steps to get a complete directory infrastructure up and running. Setting up the directory structure requires knowledge about schemas and ldap trees. Let's provide a default DIT to handle the common use case of managing User and Groups with an LDAP infrastructure using Ubuntu Server as the LDAP server.
Line 23: Line 23:
 * Andrew installs an ldap server on ubuntu. After answering basic questions during the installation of the package, he can manage users and groups with the standard system utils (adduser, addgroup) and setup other clients in his network to authenticate against his new ldap directory.  * Andrew installs an ldap server on ubuntu. After answering basic questions during the installation of the package, he has a default LDAP infrastructure ready to manage Users and Groups. He can setup others systems in his network to authenticate against his new ldap directory.
Line 27: Line 27:
User and Group management tools are not covered by this specification.
Line 29: Line 31:
=== Installation === A default layout suitable for user and group management in a unix environment will be provided:
Line 31: Line 33:
A new task in tasksel will be provided. It will install all the relevant packages (server and administration tools). Configuration and integration of the different services will also be provided by the task.


=== Directory server ===

A default layout suitable for user and group management in a unix environment will be provided:
=== Schemas available by default ===
 * Unix account information:
   * inetorgperson.schema
   * nis.schema
Line 41: Line 41:
     * uid=login      * uid=username
Line 45: Line 45:
=== User/group management tools === === Windows networking support ===

samba can use ldap as backend to store user and machine account information. It uses a samba.schema file available in the samba package.

==== DIT Layout ====

The following changes are needed:
 * New container for Computer accounts:
   * dc=example, dc=com
     * ou=Computers
 * New sambaDomain object for domain information:
   * dc=example, dc=com
     * ou=Services
       * ou=WindowsDomains
         * sambaDomainName=ExampleDomain (sambaDomain objectClass)
 * Additional objectClasses for User accounts:
   * sambaSamAccount
 * Additional objectClasses for Groups:
   * sambaGroupMapping

=== Kerberos support ===

MIT can use ldap as a backend for their kdb. It uses a kerberos.schema file available in the MIT package.

==== DIT Layout ====

The following changes are needed:
 * New krbContainer container for all the realms in a tree:
   * dc=example, dc=com:
     * ou=Services
       * ou=KerberosRealms
 * New krbRealmContainer entries to hold realm specific data:
   * dc=example, dc=com:
     * ou=Services
       * ou=KerberosRealms
         * cn=ExampleRealm (krbRealmContainer objectClass)
Line 49: Line 84:
=== Installation ===

The user will be prompted for the base dn, the administrator password. The task will then populate a default DIT in the ldap server. The administration tools will be configured to use the local ldap server by default.

Installation of the necessary schemas should be done with the new configuration api available in openldap 2.4. Editing the slapd configuration shouldn't be needed.

 * '''Daengbo''': eBox already has a working LDAP server with integration. Can we simply make LDAP accessible remotely by default? That would solve a lot of the issues.

=== Directory server ===
Line 60: Line 86:
Users will be defined with the following classes:
  * inetOrgPerson ([http://www.rfc-editor.org/rfc/rfc2798.txt RFC 2798])
  * posixAccount ([http://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307])
  * sambaSamAccount (samba)
A new package, ubuntu-default-dit, will create the DIT structure outlined above.
It will use the cn=config infrastructure to install additional schemas and then create a new db backend to hold the new tree. Editing the slapd configuration shouldn't be needed.
Line 65: Line 89:
Groups will be defined with the following classes:
  * posixGroup ([http://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307])
  * groupOfUniqueNames ([http://www.rfc-editor.org/rfc/rfc4519.txt RFC 4519])
  * sambaGroupMapping(Samba)

=== Migration ===


== Test/Demo Plan ==
The sambak5pwd overlay will be loaded by default to keep unix, samba and kerberos authentication information synchronised. However the overlay is designed to support Heimdal. Changes may need to be done to support MIT KDB.
Line 78: Line 93:
=== Directory server ===  * Should we try to provide optional support in the DIT for Windows Networking and Kerberos via different packages (eg ubuntu-samba-dit, ubuntu-kerberos-dit) ?
 * How should Samba Idmapping be handled ?
Line 80: Line 96:
 * Is groupOfUniqueNames really needed ? Both posixGroup and groupOfUniqueNames are defined as structural classes, which isn't allowed by openldap.

== Launchpad Blueprint Discrepancy ==

What LDAP server will this project use? The blueprint states "LDAP server - OpenLDAP or Fedora" while this page appears to only list OpenLDAP.

OpenLDAP does not have the [http://www.linuxjournal.com/article/9517 redundancy] and [http://www.oreillynet.com/sysadmin/blog/2006/07/a_new_favorite_fedora_director.html ease-of-use] features of Fedora Directory Server (FDS). While you can configure OpenLDAP to do anything while on anything, this is a disadvantage as documentation is full of provisos and asides due to the wildly different back ends and configurations.

In the vast majority of schools and businesses the only advantage of OpenLDAP -- speed -- is a trivial when compared to the benefits of FDS: ease of use and the clear documentation. The FDS GUI could be packaged separately to assuage size & dependency concerns.

'''Please choose wisely and make the pages agree.'''
== Resources ==
 * [[http://www.freeipa.org|FreeIPA]]:
   * [[http://www.freeipa.com/page/UsingRhdsWithIpa#DIT_Requirements|DIT Requirements]]
 * [[http://mds.mandriva.org/|Mandriva Directory Server]]
   * [[http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT|Mandriva Openldap DIT]]
 * [[http://images.apple.com/server/macosx/docs/Open_Directory_Admin_v10.5_2nd_Ed.pdf|Mac OS X Server 10.5 Open Directory ]]
   Details Apple's DIT, e.g. uid=username,cn=users

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

Summary

The spec describes a default LDAP DIT to manage Users and Groups using an Ubuntu Server.

Release Note

Rationale

Installing the default openldap package requires a lot of manual steps to get a complete directory infrastructure up and running. Setting up the directory structure requires knowledge about schemas and ldap trees. Let's provide a default DIT to handle the common use case of managing User and Groups with an LDAP infrastructure using Ubuntu Server as the LDAP server.

Use Cases

  • Andrew installs an ldap server on ubuntu. After answering basic questions during the installation of the package, he has a default LDAP infrastructure ready to manage Users and Groups. He can setup others systems in his network to authenticate against his new ldap directory.

Assumptions

User and Group management tools are not covered by this specification.

Design

A default layout suitable for user and group management in a unix environment will be provided:

Schemas available by default

  • Unix account information:
    • inetorgperson.schema
    • nis.schema

DIT layout

  • dc=example,dc=com
    • ou=People
      • uid=username
    • ou=Groups
      • cn=groupname

Windows networking support

samba can use ldap as backend to store user and machine account information. It uses a samba.schema file available in the samba package.

DIT Layout

The following changes are needed:

  • New container for Computer accounts:
    • dc=example, dc=com
      • ou=Computers
  • New sambaDomain object for domain information:
  • Additional objectClasses for User accounts:
    • sambaSamAccount
  • Additional objectClasses for Groups:
    • sambaGroupMapping

Kerberos support

MIT can use ldap as a backend for their kdb. It uses a kerberos.schema file available in the MIT package.

DIT Layout

The following changes are needed:

  • New krbContainer container for all the realms in a tree:
  • New krbRealmContainer entries to hold realm specific data:

Implementation

Openldap 2.4 will be used as the ldap server.

A new package, ubuntu-default-dit, will create the DIT structure outlined above. It will use the cn=config infrastructure to install additional schemas and then create a new db backend to hold the new tree. Editing the slapd configuration shouldn't be needed.

The sambak5pwd overlay will be loaded by default to keep unix, samba and kerberos authentication information synchronised. However the overlay is designed to support Heimdal. Changes may need to be done to support MIT KDB.

Outstanding Issues

  • Should we try to provide optional support in the DIT for Windows Networking and Kerberos via different packages (eg ubuntu-samba-dit, ubuntu-kerberos-dit) ?
  • How should Samba Idmapping be handled ?

Resources

BoF agenda and discussion


CategorySpec

DefaultLDAPDITForUserGroupMgmt (last edited 2008-08-06 16:15:55 by localhost)