Open LDAP for Peer Review

To: debian-isp@lists.debian.org
Subject: Open LDAP for Peer Review
From: Thedore Knab <tjk@annapolislinux.org>
Date: Mon, 1 Apr 2002 23:23:30 -0500
Message-id: <[🔎] 20020402042330.GA26586@annapolislinux.org>

Yippie, I have 29 days to get an IMAP server up with LDAP.

I really am enjoying this task. :-)

    LDAP will provide
        + a general address lookup facility
        + account authentication

This is the first time I have setup LDAP, so I am sending this for peer
review. Help, I have no one here to look up to ;-)

Question 1: 

How would I go about setting email aliases ? 
   I could do it through canonical maps in postfix but that seems messy.

Question 2:

I decided to breakup the people and accounts in two separate containers
in attempt to make the directory hardier and more secure.
    Am I wasting my time with this structure or does it make sense ?

The Structure:

washcoll.edu
 + People
 + Accounts

The ou=People will hold the address info.
The ou=Accounts will do the authentication/account info.

Question 3:
I do not understand what I am doing under the access control info.
Besides for the default-access read for testing, does this look secure ?


/etc/ldap/slapd.conf
...
########################
#Access Control Info
########################

defaultaccess read

index mail,mailAlternateAddress eq
index cn,sn,uid,mail 
index objectClass eq


#access Control list
access to attr=userpassword
    by dn="cn=admin, dc=washcoll, dc=edu" write 
    by dn="cn=cyrus, dc=washcoll, dc=edu" read
    by dn="cn=postfix, dc=washcoll, dc=edu" read
    by self write
    by self read

    access to *
    by self write
    by dn=".+" read
    by * read
...


#top.ldif
dn: dc=washcoll, dc=edu
objectClass: top
objectClass: organization
o: Washington College
description: Top level of Directory
creatorsName: cn=admin, dc=washcoll, dc=edu

dn: ou=People, dc=washcoll, dc=edu
objectClass: top
objectClass: organizationalUnit
ou: People
description: People within Washington College.

dn: ou=accounts, dc=washcoll, dc=edu
objectClass: top
objectClass: organizationalUnit
ou: Accounts
description: People with accounts at Washington College.

#accounts.ldif
dn: uid=bmarshal,ou=accounts, dc=washcoll, dc=edu
uid: bmarshal
cn: Brad Alan Marshall
sn: Marshall
ou: staff
objectClass: top
objectClass: person
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: qmailUser
objectClass: organizationalPerson
objectClass: inetOrgPerson
accountStatus: active
deliveryMode: normal
mail: bmarshal@washcoll.edu
mailHost: imap.washcoll.edu
mailAlternateAddress: bmarshal@washcoll.edu
loginShell: /bin/false
uidNumber: 500
gidNumber: 100
homeDirectory: /mnt/home/bmarshal
userPassword:: e2NyeXB0fWxuYkRhejRuYjlhUXA=

#listing.ldif
dn: uid=bmarshal,ou=People, dc=washcoll, dc=edu
uid: bmarshal
givenName: Brad
initials: BAM
cn: Brad Alan Marshall
sn: Marshall
o: Washington College
ou: staff
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
mail: bmarshal@washcoll.edu
title: programmer
homePostalAddress: 110 Clove St Chestertown, MD 21401
homePhone: 410-555-1212
telephoneNumber: 410-555-1212
mobile: 443-770-5658
facsimileTelephoneNumber: 1-800-111-1111
pager: 1-800-555-1212


-- 
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Open LDAP for Peer Review
  - From: Russell Coker <russell@coker.com.au>

Prev by Date: Re: where to put ulimit for root
Next by Date: Re: Open LDAP for Peer Review
Previous by thread: Re: where to put ulimit for root
Next by thread: Re: Open LDAP for Peer Review
Index(es):
- Date
- Thread