Diff for "EasyLDAPServerFeisty"

EasyLDAPServerFeisty

Differences between revisions 1 and 2

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

Launchpad entry: none yet
Packages affected:

Summary

This spec outlines what is possible to implement from EasyLDAPServer for the Feisty Release.

Rationale

Use cases

Scope

Design

Implementation

- Use OpenLDAP for feisty - Switch to Fedora Directory Server when the packaging is fixed. - Use a task to select "Install a Directory Server"

- Include the schema in a package

- Follow POSIX schema. - Include SAMBA and have openldap include Samba schema.

- Windows Clients

- Covered in the NetworkAuth - But put the schema in the .. (help)

- LDIF file

- Includes default OU's

- Kerberos

- Going with Heimdal - No sufficiently good way to store keys in LDAP. (Poorly?) wasabi: It's very poor. - If forcing Kerberos by default, then we don't care about SSL for LDAP.
- - But we need to check that SASL encrypts via Kerberos

- LDAP Configuration File

Turn off anonymous binds. Turn off simple binds.

Scope for Feisty:

OpenLDAP working OOTB with Kerberos
user management tools (CLI & GUI)
- these must automatically handle Kerberos principals correctly
- the GUI tools
- no such tools appear to exist at this time; an existing tool will need to be modified; possibilities include:
  - - LAT - proposed for GNOME? (Don't think it make it) - EDSAdmin - Edubuntu is using this and removing the other tools from the menu. - cpu - gnome-system-tools
    - gosa2 (https://gosa.gonicus.de/) munich uses it, btw - smbldap-tools

* cfengine/puppet

- Not specific, don't care. - someone: Use gconf and ldap. someone else: I don't like that idea.

Proposed schema amendment: (pixelpapst) - debian and ubuntu have a primary group for every user - this clutters directory - in our setup, we defined a AUXILIARY objectClass "debianGroup" - this can be combined with groupOfNames like posixGroup - but also with inetOrgPerson like posixAccount already is - difference to posixGroup is basically that the group name is

stored in "uid" instead of "cn"

- libnss_ldap and libpam_ldap config has to be changed (in an easy but

non-obvious way) - patching them to support this would be easier

- backwards-compatibility to setups using posixGroup should be investigated more

- can you derive an AUXILIARY objectClass from another AUXILIARY ?

Code

Data preservation and migration

Unresolved issues

BoF agenda and discussion

CategorySpec

EasyLDAPServerFeisty (last edited 2008-08-06 16:27:25 by localhost)

-  ⇤ ← Revision 1 as of 2006-11-10 19:47:58 → 
  Size: 701
  Editor: 65
  Comment:
+   ← Revision 2 as of 2006-11-10 19:49:51 → ⇥
  Size: 2857
  Editor: 65
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 24:
+- Use OpenLDAP for feisty
- Switch to Fedora Directory Server when the packaging is fixed.
- Use a task to select "Install a Directory Server"

- Include the schema in a package
 - Follow POSIX schema.
 - Include SAMBA and have openldap include Samba schema.	
- Windows Clients
 - Covered in the NetworkAuth
 - But put the schema in the .. (help)
 
- LDIF file
 - Includes default OU's
 
- Kerberos
 - Going with Heimdal
 - No sufficiently good way to store keys in LDAP. (Poorly?) wasabi: It's very poor.
 - If forcing Kerberos by default, then we don't care about SSL for LDAP.
  - But we need to check that SASL encrypts via Kerberos
  
- LDAP Configuration File	
 Turn off anonymous binds.
 Turn off simple binds.

Scope for Feisty:
  * OpenLDAP working OOTB with Kerberos
  * user management tools (CLI & GUI)
    * these must automatically handle Kerberos principals correctly
    * the GUI tools 
    * no such tools appear to exist at this time; an existing tool will need to be modified; possibilities include:
     - LAT - proposed for GNOME? (Don't think it make it)
     - EDSAdmin - Edubuntu is using this and removing the other tools from the menu.
     - cpu
     - gnome-system-tools
     - gosa2 (https://gosa.gonicus.de/) munich uses it, btw
     - smbldap-tools

* cfengine/puppet
 - Not specific, don't care.
 - someone: Use gconf and ldap. someone else: I don't like that idea.


----
Proposed schema amendment: (pixelpapst)
- debian and ubuntu have a primary group for every user
- this clutters directory
- in our setup, we defined a AUXILIARY objectClass "debianGroup"
- this can be combined with groupOfNames like posixGroup
- but also with inetOrgPerson like posixAccount already is
- difference to posixGroup is basically that the group name is
  stored in "uid" instead of "cn"
- libnss_ldap and libpam_ldap config has to be changed (in an easy but
  non-obvious way) - patching them to support this would be easier
- backwards-compatibility to setups using posixGroup should be investigated more
  - can you derive an AUXILIARY objectClass from another AUXILIARY ?

Ubuntu Wiki