[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Open LDAP for Peer Review

On Tue, 2 Apr 2002 06:23, Thedore Knab wrote:
> Question 1:
> How would I go about setting email aliases ?
>    I could do it through canonical maps in postfix but that seems messy.

I've done it through virtual maps and alias maps.

> Question 2:
> I decided to breakup the people and accounts in two separate containers
> in attempt to make the directory hardier and more secure.
>     Am I wasting my time with this structure or does it make sense ?

It makes sense to break it up if they have different roles so you can see who 
has what access.  But don't use a regular expression to manage security as 
performance for that sucks badly.  Use group membership for security.

> washcoll.edu
>  + People
>  + Accounts
> The ou=People will hold the address info.
> The ou=Accounts will do the authentication/account info.

By authentication do you mean Unix accounts, and do the ou=People entries not 
have any Unix accounts?

> #access Control list
> access to attr=userpassword
>     by dn="cn=admin, dc=washcoll, dc=edu" write
>     by dn="cn=cyrus, dc=washcoll, dc=edu" read
>     by dn="cn=postfix, dc=washcoll, dc=edu" read
>     by self write
>     by self read

The write access implies read.  Always a high level of access implies lower 

>     access to *
>     by self write
>     by dn=".+" read
>     by * read

The "by * read" should obsolete the 'by dn=".+" read' line, and the ".+" 
regex will hurt performance.

> #top.ldif
> dn: dc=washcoll, dc=edu
> objectClass: top
> objectClass: organization

As the dn starts with "dc=" this should have object class of "dcObject" and a 
"dc=washcoll" attribute.  If you don't follow this scheme you'll cause 
yourself a lot of pain.

> dn: ou=accounts, dc=washcoll, dc=edu
> objectClass: top
> objectClass: organizationalUnit
> ou: Accounts

It would be a good idea to keep the capitalisation the same in the DN and the 
attribute values ("Accounts" vs "accounts").  Sure LDAP doesn't care, but 
will all your LDAP enabled applications be happy?

> #accounts.ldif
> dn: uid=bmarshal,ou=accounts, dc=washcoll, dc=edu
> uid: bmarshal
> cn: Brad Alan Marshall
> sn: Marshall
> ou: staff
> objectClass: top
> objectClass: person
> objectClass: account
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: qmailUser
> objectClass: organizationalPerson
> objectClass: inetOrgPerson

I strongly recommend turning on schema enforcement in the LDAP server.  It 
doesn't have any great performance cost and helps avoid screwing up your 

> userPassword:: e2NyeXB0fWxuYkRhejRuYjlhUXA=

Hope that's not a real password...

If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.

To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: