[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Newbie planning for the future

To: Alex Moen <alexm@ndtel.com>, openldap-technical@openldap.org
Subject: Re: Newbie planning for the future
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Thu, 21 May 2009 11:51:45 -0700
Content-disposition: inline
In-reply-to: <0042C4ED-2DFE-4DCD-B7AA-5E78922FF211@ndtel.com>
References: <0042C4ED-2DFE-4DCD-B7AA-5E78922FF211@ndtel.com>

--On Thursday, May 21, 2009 8:26 AM -0500 Alex Moen <alexm@ndtel.com> wrote:

Hi all,

I am a newbie to LDAP, and have just gotten my first directory server up
and running, using openldap.

I have been researching and reading  a lot of material for quite a while
about schema design and planning, and haven't found much pertaining to
what I want to do.

We have 50+ servers, serving thousands of customers.  I want to migrate
those servers to LDAP authentication and authorization, but have not
found the proper design for multiple servers and duplicated users.  Most
references just do the basic "example.com" example and never expand on it
from there.  Ultimately, I would like to allow my admins to have a single
account across multiple servers (kind of "authorization account
merging"), but still allot the schema to be "separate" enough that
duplicated usernames on different machines, corresponding to different
people, still exist.

Are there any really good references out there that do step-by-step walk
throughs of the type of schema designing that I am thinking of?  Or is it
impossible?  Or am I just really making too much of this?  :)

Thanks for any insights...

I think you are confusing schema with DIT layout. Personally, I would putall the users in a single tree (cn=accounts,dc=my,dc=domain), and if youneed to track what company they work for, put that in an attribute in theaccount entry. There is no need for duplicate entries that I can see. Ifyou need to restrict access to various servers, set it up so they filteroff the company associated with the account.

And, you can always have local accounts in addition to the accounts inLDAP. You generally want this anyhow, for users like root, so you canalways get in regardless. But you could also create an "admin" account inthe accounts tree, and make it so it can access any server.

The NSS Overlay that's currently in OpenLDAP HEAD would probably work bestfor all of this. It will hopefully make its appearance in OpenLDAP 2.4.17.


--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- Newbie planning for the future
  - From: Alex Moen <alexm@ndtel.com>

Prev by Date: Re: Newbie planning for the future
Next by Date: Re: Deleting hundreds of Entry under a OU
Index(es):
- Chronological
- Thread