Re: Open LDAP for Peer Review
On Tue, 2 Apr 2002 06:23, Thedore Knab wrote:
> Question 1:
>
> How would I go about setting email aliases ?
> I could do it through canonical maps in postfix but that seems messy.
I've done it through virtual maps and alias maps.
> Question 2:
>
> I decided to breakup the people and accounts in two separate containers
> in attempt to make the directory hardier and more secure.
> Am I wasting my time with this structure or does it make sense ?
It makes sense to break it up if they have different roles so you can see who
has what access. But don't use a regular expression to manage security as
performance for that sucks badly. Use group membership for security.
> washcoll.edu
> + People
> + Accounts
>
> The ou=People will hold the address info.
> The ou=Accounts will do the authentication/account info.
By authentication do you mean Unix accounts, and do the ou=People entries not
have any Unix accounts?
> #access Control list
> access to attr=userpassword
> by dn="cn=admin, dc=washcoll, dc=edu" write
> by dn="cn=cyrus, dc=washcoll, dc=edu" read
> by dn="cn=postfix, dc=washcoll, dc=edu" read
> by self write
> by self read
The write access implies read. Always a high level of access implies lower
levels.
> access to *
> by self write
> by dn=".+" read
> by * read
The "by * read" should obsolete the 'by dn=".+" read' line, and the ".+"
regex will hurt performance.
> #top.ldif
> dn: dc=washcoll, dc=edu
> objectClass: top
> objectClass: organization
As the dn starts with "dc=" this should have object class of "dcObject" and a
"dc=washcoll" attribute. If you don't follow this scheme you'll cause
yourself a lot of pain.
> dn: ou=accounts, dc=washcoll, dc=edu
> objectClass: top
> objectClass: organizationalUnit
> ou: Accounts
It would be a good idea to keep the capitalisation the same in the DN and the
attribute values ("Accounts" vs "accounts"). Sure LDAP doesn't care, but
will all your LDAP enabled applications be happy?
> #accounts.ldif
> dn: uid=bmarshal,ou=accounts, dc=washcoll, dc=edu
> uid: bmarshal
> cn: Brad Alan Marshall
> sn: Marshall
> ou: staff
> objectClass: top
> objectClass: person
> objectClass: account
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: qmailUser
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
I strongly recommend turning on schema enforcement in the LDAP server. It
doesn't have any great performance cost and helps avoid screwing up your
directory.
> userPassword:: e2NyeXB0fWxuYkRhejRuYjlhUXA=
Hope that's not a real password...
--
If you send email to me or to a mailing list that I use which has >4 lines
of legalistic junk at the end then you are specifically authorizing me to do
whatever I wish with the message and all other messages from your domain, by
posting the message you agree that your long legalistic sig is void.
--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: