Re: Virtual Domains & LDAP
Wednesday, June 13, 2001, 8:21:36 AM, you wrote:
RC> Firstly I've replied to this with the list CC'd as I think that other
RC> people are likely to benefit from the answers and it seems that there is
RC> nothing secret being discussed. I hope you don't mind.
No problem. I was just trying to cut down on the list traffic.
RC> The OpenLDAP server uses some sort of hash, it uses the GNU DBM library or
RC> equivalent libraries for indexing each attribute separately.
RC> Other LDAP servers may do things differently, but most LDAP servers have
RC> taken code from the University of Michigan LDAP server (which is what
RC> OpenLDAP was based on).
That's okay. I really only care about how OpenLDAP works ;)
RC> @ sign has no inherant problems, but some software might not like it.
This does work with ProFTPd. I tried it out. I have still yet to try it out
with either Cyrus IMAPd or Postfix.
RC> Proftpd will do a search of "attribute=$1" where $1 is what the user enters
RC> at the Name: prompt. Then it will read the userPassword attribute of that
RC> entry or bind as that DN depending on how it's configured.
I see this now. Is one method better than the other? The ProFTPd docs say that
by binding as the user, different encryption methods could be supported (not a
big deal since I just user SSHA per RFC 2307). But is this manner more secure
than binding as the LDAP manager to get the userPassword attribute?
>> RC> Searching for "uid=user_company.com" with a search base of
>> RC> "ou=company.com, o=my_org" requires searching through two indexes
>> which RC> isn't as fast. But if the uid attribute has a unique value
>> (which it RC> will have if it is the user-name concatenated with the
>> company name) then RC> you can just search by the attribute value.
>> Ok. This is where I lose you, unless you meant uid=user. And then to
RC> No. I mean making the UID include the company. So within the
RC> "company.com" domain we have an account named "user". This is the only
RC> way to do it with proftpd!
Ok. Sorry for my density. Usually the simplest of things are the hardest for
me to understand :-P So what is the account named: "user" or
"user_company.com"? And what are these two search indexes? What performance
loss would I suffer by setting my search base to just "o=my_org" rather than
>> search within the base of "ou=company.com, o=my_org". Because with the
>> uid=user_company.com, I'm still searching on a single attribute. I
>> would think if anything, it would be quicker, because I would already
>> be searching within the correct ou. If you could elaborate a little
>> more, I would be most gracious. Likewise, I don't have a great
>> understanding of how index eq and index pres, and what have you works.
>> I realize it's pretty LDAP distrib specific, but I don't see much
>> documentation for OpenLDAP in this regards.
>> Btw, sorry you got the cross-post. I've scoured the archives for
>> debian-isp. Has the debian schema files been produced yet? I was
>> looking at using the allowedService attribute you drafted up quickly,
>> to give users access to different services (duh?).
RC> I've produced a few drafts but so far no-one has responded to my requests
RC> for comments on them. So we are all waiting for some input from people
RC> who know about LDAP and schema...
Any chance you could post them here if you haven't done so already? If so, I'll
just go search the posts.
>> Also, do you use proftpd by chance? I would like to do virt hosting,
RC> Yes. One of my clients recently paid for enhancements to Proftpd for
RC> better support of this.
I realize you won't be able to share this work, but what sort of enhancements?
And how do you manage uids and gids?
>> but I don't feel like killing the IP pool :-P I suppose a
>> user_company.com system would work, but that'd be unnatural to users,
RC> Why? I've worked for two ISPs doing bulk commercial hosting with that
RC> scheme and no problems...
I would just think that people would like to remove the trailing _company.com,
and just have user names, with the namespace inferred. I know you don't use the
'@' in an email address like system I proposed, but which would you see being
better? With my method, the user only has to use his email address and password
for auth, which I think would be nice, but I don't know if that would become too
ambiguous with "mail" attributes.
>> whereas an email address like naming scheme wouldn't be too bad. But
RC> Not sure if an @ sign will be accepted by proftpd. Never tried it.
It worked for me, in case anyone else was wondering.
>> realistically, should I just follow in the steps of ISPMan, and allow
>> ftp access to one user per domain?
RC> No, that sucks.
That's what I was thinking :-P
Thanks a lot for all the info.