[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Newbie conceptual issues (long)
Hi All-
I'm a newbie to LDAP and OpenLDAP, but I've read the
faq, searched (and browsed) the archives, searched
Google, etc, so please don't flame me.
I'm having a difficult time understanding some of the
conceptual basics with designing and creating a
Directory namespace, creating the Directory database
itself, adding branches to it, etc.
Just so you know where I'm at and what I've read:
Server OS: SuSE 9 (i386)
OpenLDAP version: 2.1.22-73 (from SuSE rpm)
(properly configured to do authentication of rootdn
against KDC via SASL/GSSAPI)
Running MIT Kerberos 5, v1.3.1 (built from source)
Running OpenAFS 1.2.11 (built from source)
Running Cyrus SASL 2.1.15-65 and associated plugins
(from SuSE rpm)
I've read the relevant portions of:
LDAP System Administration (ORA, 2003) by Gerald Carter
SuSE 9 Administration Guide
OpenLDAP FAQ-O-Matic
http://www.bayour.com/LDAPv3-HOWTO.html#4.4.2.Installing%20Cyrus%20SASL%7Coutline
(OpenLDAP, OpenSSL, SASL and KerberosV HOWTO)
RFC 2849
man 5 ldif
OpenLDAP 2.2 Admininstrator's Guide (including, but not
limited to the Quick-Start Guide
The difficulty that I'm having is with creating (and
really understanding what I'm doing) the database by
adding entries, and figuring out how to write LDIF
files that accomplish that goal.
My ultimate goal is to do something along the lines of
what Turbo did in his HOWTO and adding support for
OpenAFS as well, but right now I'm just trying to
understand some of the basics.
For example, my ORA book describes setting up a very
simple namespace (am I using that word correctly
here?) like so:
[dc=plainjoe,dc=org]
|
|
|
|
[ou=people]
/|\
/ | \
/ | \
/ | \
[Employee Contact Information]
They claim that ldapadd'ing the following LDIF file
does so.
======================
## Build the root node.
dn: dc=plainjoe,dc=org
dc: plainjoe
objectClass: dcObject
objectClass: organizationalUnit
ou: PlainJoe Dot Org
## Build the people ou.
dn: ou=people,dc=plainjoe,dc=org
ou: people
objectClass: organizationalUnit
======================
I did this without error and I think I understand what
this did. It created, just below the top (or root)
node (dc=plainjoe,dc=org), an empty node (ou=people)
that is for containing people nodes (cn=Gerald
Carter).
Later, the book describes a namespace that looks like
this (please pardon my ascii art):
[dc=plainjoe,dc=org]
| | |
| | |
[ou=group] | [ou=services]
/| | |\
/ | [ou=people] | \
/ | /|\ | \
/ | / | \ | \
[admin ] / | \ [application data]
[groups & ] / | \
[posixGroups] / | \
/ | \
[Employee Contact Information]
But the author does not describe exactly how he created
it in the form of LDIF files. I suppose I should
already know that by extension of the first example,
but I don't... call me dumb...
I have this feeling that my Directory will need, just
below the root or top node, something similar to the
namespace depicted above.
Well, I populated the (formerly empty) container node
(ou=people) with two people using LDIF files like
this:
==========================
## LDIF entry for "Maria M. Asciolla"
dn: cn=Joe M. Blow,ou=people,dc=plainjoe,dc=org
cn: Joe M. Blow
sn: Blow
mail: joe@plainjoe.org
departmentNumber: Management
pager: 222-555-6789
objectclass: inetOrgPerson
==========================
That worked fine, and I see that for an objectclass of
inetOrgPerson, there are no required attributes.
But in trying to add the other two first-level nodes, I
got hung up in required attributes (I figured that
objectclass should be posixGroup and posixAccount
and ... not sure what type objectclass for the
[services] node depicted) in my LDIF files. Through
trial and error, I successfully added three other
first-level nodes, but are they container nodes? It
seems that they are not.
I ldapadd'ed this LDIF file:
==========================
dn: cn=Manager,dc=plainjoe,dc=org
cn: Manager
objectClass: organizationalRole
==========================
And learned that cn was a required attribute for the
organizationalRole object class. How would I use this
anyway? Connections between the people nodes and the
organizationalRole nodes? Like a linked relational
database or something?
But this doesn't seem to be a container node like my
original [ou=people] first-level node. How would I
make it one (presuming that I would want to do so,
which I'm not sure if I do or not---I read a sidebar
in my book about the pros and cons of wide and shallow
or deep and narrow Directories).
Then I ldapadd'ed this LDIF file:
==========================
dn: cn=Group,dc=plainjoe,dc=org
cn: Group
gidNumber: 1000
objectClass: posixGroup
description: The first group in the list
==========================
And learned that cn and gidNumber are both required
attributes for the posixGroup object class (which is
described in the nis.schema file as "Abstraction of a
group of accounts").
Again, this doesn't seem like a container node. Should
it be?
Then I ldapadd'ed this LDIF file:
==========================
dn: cn=Account,dc=plainjoe,dc=org
cn: Account
ou: Account
uid: adam
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/adam
objectClass: organizationalUnit
objectClass: posixAccount
description: This is the first user
gecos: Adam Selene
==========================
And learned about the required attributes of the
posixAccount objectclass, but also learned about the
requirement of some object classes to have a
structural object class (which is why I added the
organizationalUnit class), but I feel like I'm missing
some important understanding.
For example:
1) what are the structural classes? I know they're all
defined in the *.schema files, but is there an easy
way to list them all?
2) And what makes it a structural class as opposed to
an auxiliary or abstract class?
3) And just how many objectClasses can a node in the
Directory have?
4) Am I just glomming the attributes of each object
class together to make a node that is some sort of
superset of both object classes?
5) If so, then I guess I should just choose the object
classes I need (based on the attributes I'll need) to
create the type of node that I want (ultimately,
something to represent all the characteristics of a
user on a network: uid, OpenAFS UID, Kerberos
principal, home directory, etc. etc. etc.). Is that
right?
6) If both posixAccount and posixGroup object classes
are abstract, then why didn't I need a structural
class for posixGroup?
I guess I'm just feeling like I have an infinite range
of options (which I'm sure is a good thing, once I
understand more) and no real idea what direction to go
and how to learn some more of the basics. The RFC was
too specific for my understanding, the book (I think)
should have had more examples for my understanding,
and explanation about why you might want to do this or
that. The other docs don't seem to address the
hole(s) that I feel like I have in my understanding.
To be honest though, I think that just through
composing this long post, I understand the issues alot
better than I did before composing it, but I still
feel like I'm missing some important things. Can
anyone recommend a good document or two to read to
help me get past that initial stage in learning about
LDAP?
If you've read this far, then I thank you and apologize
for the length of this post. I'm torn on whether to
send it because I do understand some things better
now, but still think that a little helping hand would
probably do wonders for me.
Thanks for being patient.
-Kevin