[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re[4]: Virtual Domains & LDAP

Hey Russell,

Wednesday, June 13, 2001, 8:21:36 AM, you wrote:

RC> Firstly I've replied to this with the list CC'd as I think that other 
RC> people are likely to benefit from the answers and it seems that there is 
RC> nothing secret being discussed.  I hope you don't mind.

No problem.  I was just trying to cut down on the list traffic.

RC> The OpenLDAP server uses some sort of hash, it uses the GNU DBM library or
RC> equivalent libraries for indexing each attribute separately.


RC> Other LDAP servers may do things differently, but most LDAP servers have 
RC> taken code from the University of Michigan LDAP server (which is what 
RC> OpenLDAP was based on).

That's okay.  I really only care about how OpenLDAP works ;)

RC> @ sign has no inherant problems, but some software might not like it.

This does work with ProFTPd.  I tried it out.  I have still yet to try it out
with either Cyrus IMAPd or Postfix.

RC> Proftpd will do a search of "attribute=$1" where $1 is what the user enters
RC> at the Name: prompt.  Then it will read the userPassword attribute  of that
RC> entry or bind as that DN depending on how it's configured.

I see this now.  Is one method better than the other?  The ProFTPd docs say that
by binding as the user, different encryption methods could be supported (not a
big deal since I just user SSHA per RFC 2307).  But is this manner more secure
than binding as the LDAP manager to get the userPassword attribute?

>> RC> Searching for "uid=user_company.com" with a search base of
>> RC> "ou=company.com, o=my_org" requires searching through two indexes
>> which RC> isn't as fast.  But if the uid attribute has a unique value
>> (which it RC> will have if it is the user-name concatenated with the
>> company name) then RC> you can just search by the attribute value.
>> Ok.  This is where I lose you, unless you meant uid=user.  And then to

RC> No.  I mean making the UID include the company.  So within the 
RC> "company.com" domain we have an account named "user".  This is the only 
RC> way to do it with proftpd!

Ok.  Sorry for my density.  Usually the simplest of things are the hardest for
me to understand :-P  So what is the account named: "user" or
"user_company.com"?  And what are these two search indexes? What performance
loss would I suffer by setting my search base to just "o=my_org" rather than
"ou=company.com, o=my_org"?

>> search within the base of "ou=company.com, o=my_org".  Because with the
>> uid=user_company.com, I'm still searching on a single attribute.  I
>> would think if anything, it would be quicker, because I would already
>> be searching within the correct ou.  If you could elaborate a little
>> more, I would be most gracious. Likewise, I don't have a great
>> understanding of how index eq and index pres, and what have you works. 
>> I realize it's pretty LDAP distrib specific, but I don't see much
>> documentation for OpenLDAP in this regards.
>> Btw, sorry you got the cross-post.  I've scoured the archives for
>> debian-isp. Has the debian schema files been produced yet?  I was
>> looking at using the allowedService attribute you drafted up quickly,
>> to give users access to different services (duh?).

RC> I've produced a few drafts but so far no-one has responded to my requests 
RC> for comments on them.  So we are all waiting for some input from people 
RC> who know about LDAP and schema...

Any chance you could post them here if you haven't done so already?  If so, I'll
just go search the posts.

>> Also, do you use proftpd by chance?  I would like to do virt hosting,

RC> Yes.  One of my clients recently paid for enhancements to Proftpd for 
RC> better support of this.

I realize you won't be able to share this work, but what sort of enhancements?
And how do you manage uids and gids?

>> but I don't feel like killing the IP pool :-P  I suppose a
>> user_company.com system would work, but that'd be unnatural to users,

RC> Why?  I've worked for two ISPs doing bulk commercial hosting with that 
RC> scheme and no problems...

I would just think that people would like to remove the trailing _company.com,
and just have user names, with the namespace inferred.  I know you don't use the
'@' in an email address like system I proposed, but which would you see being
better?  With my method, the user only has to use his email address and password
for auth, which I think would be nice, but I don't know if that would become too
ambiguous with "mail" attributes.

>> whereas an email address like naming scheme wouldn't be too bad.  But

RC> Not sure if an @ sign will be accepted by proftpd.  Never tried it.

It worked for me, in case anyone else was wondering.

>> realistically, should I just follow in the steps of ISPMan, and allow
>> ftp access to one user per domain?

RC> No, that sucks.

That's what I was thinking :-P

Thanks a lot for all the info.


Reply to: