Ubuntu Wiki

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

• Launchpad Entry: identity-management

• Packages affected:

Summary

The spec describes a basic LDAP directory service for Ubuntu.

Release Note

Rationale

Installing the default openldap package requires a lot of manual steps to get a complete directory infrastructure up and running. Setting up the directory structure requires knowledge about schemas and ldap trees.

Use Cases

• Andrew installs an ldap server on ubuntu. After answering basic questions during the installation of the package, he can manage users and groups with the standard system utils (adduser, addgroup) and setup other clients in his network to authenticate against his new ldap directory.

Assumptions

Design

Installation

A new task in tasksel will be provided. It will install all the relevant packages (server and administration tools). Configuration and integration of the different services will also be provided by the task.

Directory server

A default layout suitable for user and group management in a unix environment will be provided:

DIT layout

• dc=example,dc=com
  • ou=People
    • uid=login
  • ou=Groups
    • cn=groupname

User/group management tools

Implementation

Installation

The user will be prompted for the base dn, the administrator password. The task will then populate a default DIT in the ldap server. The administration tools will be configured to use the local ldap server by default.

Installation of the necessary schemas should be done with the new configuration api available in openldap 2.4. Editing the slapd configuration shouldn't be needed.

Directory server

Openldap 2.4 will be used as the ldap server.

Users will be defined with the following classes:

• inetOrgPerson ([http://www.rfc-editor.org/rfc/rfc2798.txt RFC 2798])

• posixAccount ([http://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307])

• sambaSamAccount (samba)

Groups will be defined with the following classes:

• posixGroup ([http://www.rfc-editor.org/rfc/rfc2307.txt RFC 2307])

• groupOfUniqueNames ([http://www.rfc-editor.org/rfc/rfc4519.txt RFC 4519])

• sambaGroupMapping(Samba)

Migration

Test/Demo Plan

Outstanding Issues

Directory server

• Is groupOfUniqueNames really needed ? Both posixGroup and groupOfUniqueNames are defined as structural classes, which isn't allowed by openldap.

Launchpad Blueprint Discrepancy

What LDAP server will this project use? The blueprint states "LDAP server - OpenLDAP or Fedora" while this page appears to only list OpenLDAP.

OpenLDAP does not have the [http://www.linuxjournal.com/article/9517 redundancy] and [http://www.oreillynet.com/sysadmin/blog/2006/07/a_new_favorite_fedora_director.html ease-of-use] features of Fedora Directory Server (FDS). While you can configure OpenLDAP to do anything while on anything, this is a disadvantage as documentation is full of provisos and asides due to the wildly different back ends and configurations.

In the vast majority of schools and businesses the only advantage of OpenLDAP -- speed -- is a trivial when compared to the benefits of FDS: ease of use and the clear documentation. The FDS GUI could be packaged separately to assuage size & dependency concerns.

Please choose wisely and make the pages agree.

BoF agenda and discussion

CategorySpec