[Date Prev][Date Next] [Chronological] [Thread] [Top]

Schema design help for a newbie



Hi,

This is an absolute LDAP newbie here, so be gentle when pointing those 
flamethrowers :-)

I'm working on a free software (Open Source in corpspeak) Perl/Web
based project for provisioning for a web/mail service provider.
(It'll be GPL'ed when it's complete).  I plan to use LDAP as the base
database for holding client, domain and user information.

Having already made a prototype schema for holding the above
information, I feel that it is not necessarily the ideal way of going
about it.  The Information I need to store includes:

Client information:
	Unix userID
	Home directory
	some admin stuff (renewal date, payment status, etc)
	description

Virtual Domain:
	domain name
	client name
	ip address
	htdocs/log/cgibin directories
	apache-specific stuff (ssl/special modules required)
	disk quota

Virtual Email User:
	user ID
	virtual domain
	Client name
	mail directory
	mailbox file
	autoreply message file
	forward address(es)
	disk quota

I'd like some advice from you LDAP design guru's on the following:

- What would be a good design for a schema which needs to hold all
this information.  Obviously, performance, extensibility,
completeness, security and maintainability are the prime
considerations for the schema.  I find that I'm unable to add any top
level stuff (e.g. if the virtual host is abcd.com, I am unable to
create a dn:dc=abcd,dc=com), only stuff under the TLD of the LDAP
database (e.g. dn:dc=abcd,dc=com,dc=toplevelhost,dc=topleveldomain).

- Is it possible to make this hierarchical, so that the relationship

	Client
	|
	|-------Host
	|	|
	|	|-------User
	|	|-------User
	|	|
	|-------Host
	|	|
	|	|------User
	|	|------User
	|	|------User
	...

is preserved?

- I'm truly stuck at the authentication part of things.  Ideally I'd
like the owner of the Client subtree (apart from the LDAP owner) to be
able to bind to, access and modify all hosts and user under her
hierarchy, and each user to be able to bind to and change some parts
of her records.  How do I enable multiple levels of authentication in
OpenLDAP?  Note that I need to do all this on the fly, so modifying
the slapd.conf file except once at system setup time is not an option.

- Finally, the big question: is anyone aware of an free software IMAP4
server which will use LDAP for authentication AND to get the location
of the user's mailbox?  Cyrus handles the auth part, but I haven't yet
found one which uses LDAP for locating user's mailboxes.

Look out for the software when it's complete!

Thanks in advance, and regards,

-- Raju