Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

• Launchpad Entry: ldap-defaultdit-usergrp-mgmt

• Packages affected:

Summary

The spec describes a default LDAP DIT to manage Users and Groups using an Ubuntu Server.

Release Note

Rationale

Installing the default openldap package requires a lot of manual steps to get a complete directory infrastructure up and running. Setting up the directory structure requires knowledge about schemas and ldap trees. Let's provide a default DIT to handle the common use case of managing User and Groups with an LDAP infrastructure using Ubuntu Server as the LDAP server.

Use Cases

• Andrew installs an ldap server on ubuntu. After answering basic questions during the installation of the package, he has a default LDAP infrastructure ready to manage Users and Groups. He can setup others systems in his network to authenticate against his new ldap directory.

Assumptions

User and Group management tools are not covered by this specification.

Design

A default layout suitable for user and group management in a unix environment will be provided:

Schemas available by default

• Unix account information:
  • inetorgperson.schema
  • nis.schema

DIT layout

• dc=example,dc=com
  • ou=People
    • uid=username
  • ou=Groups
    • cn=groupname

Windows networking support

samba can use ldap as backend to store user and machine account information. It uses a samba.schema file available in the samba package.

DIT Layout

The following changes are needed:

• New container for Computer accounts:
  • dc=example, dc=com
    • ou=Computers
• New sambaDomain object for domain information:
  • dc=example, dc=com
    • ou=Services

      • ou=WindowsDomains

        • sambaDomainName=ExampleDomain (sambaDomain objectClass)

• Additional objectClasses for User accounts:
  • sambaSamAccount
• Additional objectClasses for Groups:
  • sambaGroupMapping

Kerberos support

MIT can use ldap as a backend for their kdb. It uses a kerberos.schema file available in the MIT package.

DIT Layout

The following changes are needed:

• New krbContainer container for all the realms in a tree:
  • dc=example, dc=com:
    • ou=Services

      • ou=KerberosRealms

• New krbRealmContainer entries to hold realm specific data:
  • dc=example, dc=com:
    • ou=Services

      • ou=KerberosRealms

        • cn=ExampleRealm (krbRealmContainer objectClass)

Implementation

Openldap 2.4 will be used as the ldap server.

A new package, ubuntu-default-dit, will create the DIT structure outlined above. It will use the cn=config infrastructure to install additional schemas and then create a new db backend to hold the new tree. Editing the slapd configuration shouldn't be needed.

The sambak5pwd overlay will be loaded by default to keep unix, samba and kerberos authentication information synchronised. However the overlay is designed to support Heimdal. Changes may need to be done to support MIT KDB.

Outstanding Issues

• Should we try to provide optional support in the DIT for Windows Networking and Kerberos via different packages (eg ubuntu-samba-dit, ubuntu-kerberos-dit) ?
• How should Samba Idmapping be handled ?

Resources

• FreeIPA:

  • DIT Requirements

• Mandriva Directory Server

  • Mandriva Openldap DIT

• Mac OS X Server 10.5 Open Directory

  • Details Apple's DIT, e.g. uid=username,cn=users

BoF agenda and discussion

---

CategorySpec