EasyLDAPServerFeisty
⇤ ← Revision 1 as of 2006-11-10 19:47:58
701
Comment:
|
2857
|
Deletions are marked like this. | Additions are marked like this. |
Line 24: | Line 24: |
- Use OpenLDAP for feisty - Switch to Fedora Directory Server when the packaging is fixed. - Use a task to select "Install a Directory Server" - Include the schema in a package - Follow POSIX schema. - Include SAMBA and have openldap include Samba schema. - Windows Clients - Covered in the NetworkAuth - But put the schema in the .. (help) - LDIF file - Includes default OU's - Kerberos - Going with Heimdal - No sufficiently good way to store keys in LDAP. (Poorly?) wasabi: It's very poor. - If forcing Kerberos by default, then we don't care about SSL for LDAP. - But we need to check that SASL encrypts via Kerberos - LDAP Configuration File Turn off anonymous binds. Turn off simple binds. Scope for Feisty: * OpenLDAP working OOTB with Kerberos * user management tools (CLI & GUI) * these must automatically handle Kerberos principals correctly * the GUI tools * no such tools appear to exist at this time; an existing tool will need to be modified; possibilities include: - LAT - proposed for GNOME? (Don't think it make it) - EDSAdmin - Edubuntu is using this and removing the other tools from the menu. - cpu - gnome-system-tools - gosa2 (https://gosa.gonicus.de/) munich uses it, btw - smbldap-tools * cfengine/puppet - Not specific, don't care. - someone: Use gconf and ldap. someone else: I don't like that idea. ---- Proposed schema amendment: (pixelpapst) - debian and ubuntu have a primary group for every user - this clutters directory - in our setup, we defined a AUXILIARY objectClass "debianGroup" - this can be combined with groupOfNames like posixGroup - but also with inetOrgPerson like posixAccount already is - difference to posixGroup is basically that the group name is stored in "uid" instead of "cn" - libnss_ldap and libpam_ldap config has to be changed (in an easy but non-obvious way) - patching them to support this would be easier - backwards-compatibility to setups using posixGroup should be investigated more - can you derive an AUXILIARY objectClass from another AUXILIARY ? |
Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.
Launchpad entry: none yet
Packages affected:
Summary
This spec outlines what is possible to implement from EasyLDAPServer for the Feisty Release.
Rationale
Use cases
Scope
Design
Implementation
- Use OpenLDAP for feisty - Switch to Fedora Directory Server when the packaging is fixed. - Use a task to select "Install a Directory Server"
- Include the schema in a package
- - Follow POSIX schema. - Include SAMBA and have openldap include Samba schema.
- Windows Clients
- Covered in the NetworkAuth - But put the schema in the .. (help)
- LDIF file
- - Includes default OU's
- Kerberos
- - Going with Heimdal - No sufficiently good way to store keys in LDAP. (Poorly?) wasabi: It's very poor. - If forcing Kerberos by default, then we don't care about SSL for LDAP.
- - But we need to check that SASL encrypts via Kerberos
- LDAP Configuration File
- Turn off anonymous binds. Turn off simple binds.
Scope for Feisty:
- OpenLDAP working OOTB with Kerberos
user management tools (CLI & GUI)
- these must automatically handle Kerberos principals correctly
- the GUI tools
- no such tools appear to exist at this time; an existing tool will need to be modified; possibilities include:
- - LAT - proposed for GNOME? (Don't think it make it) - EDSAdmin - Edubuntu is using this and removing the other tools from the menu. - cpu - gnome-system-tools
- gosa2 (https://gosa.gonicus.de/) munich uses it, btw - smbldap-tools
- - LAT - proposed for GNOME? (Don't think it make it) - EDSAdmin - Edubuntu is using this and removing the other tools from the menu. - cpu - gnome-system-tools
* cfengine/puppet
- - Not specific, don't care. - someone: Use gconf and ldap. someone else: I don't like that idea.
Proposed schema amendment: (pixelpapst) - debian and ubuntu have a primary group for every user - this clutters directory - in our setup, we defined a AUXILIARY objectClass "debianGroup" - this can be combined with groupOfNames like posixGroup - but also with inetOrgPerson like posixAccount already is - difference to posixGroup is basically that the group name is
- stored in "uid" instead of "cn"
- libnss_ldap and libpam_ldap config has to be changed (in an easy but
- non-obvious way) - patching them to support this would be easier
- backwards-compatibility to setups using posixGroup should be investigated more
- - can you derive an AUXILIARY objectClass from another AUXILIARY ?
Code
Data preservation and migration
Unresolved issues
BoF agenda and discussion
EasyLDAPServerFeisty (last edited 2008-08-06 16:27:25 by localhost)