[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

using LDAP as a configuration/user management backend

Hi there,

This will probably be a lengthy discussion. I appreciate any helpful
comments. I also searched the lists and web but couldn't find good

I operate 27 servers all over the world, all running Debian (without
Debian, this wouldn't be possible). Now I would like to unify them by
using LDAP as a configuration and user management backend, as well as
AFS to share filesystems.

I see this as a series of steps as follows. Basically, while I am good
with the theory of all this, I have little to no practical experience,
so I appreciate any comments.

1. Select three servers to be the LDAP servers, configure them all for
   ldap-ssl (no clear-text here) and then hook them into
   a master-slave configuration with two of them mirroring the primary
   one. I'll use bind9 round-robin to do some fairly unadvanced
   load-balancing between them, and should be able to deal with the
   failure of one of the three servers fairly easily.

2. Move user management to the LDAP tree. Ideally, I want /etc/passwd
   to contain no user but root and the various other defaults that
   Debian installs. All users for all systems should be placed in
   a global LDAP tree, with each user's record specifying what systems
   s/he may log in to.

3. Separate the mail users from the real users. About 70% of my users
   never log in and simply use IMAPs or POP3s to retrieve their mail.
   These should also live in the LDAP tree, but possibly under
   a different subtree. I'd like to keep using postfix + courier to
   handle all mail tasks. Is this possible, or should I start looking
   into cyrus?

4. Put major user configuration items (like .forward, spamassassin)
   into the LDAP tree. I am sure postfix can handle this particular one
   somehow, and one can probably hack solutions up for other proggies.

5. Put major system configuration (postfix, bind9, apt, etc.) into the
   LDAP tree.

6. Export /home from every system to every other system:

      all:/home/seamus -> seamus.madduck.net:/export/home
      all:/home/diamond -> diamond.madduck.net:/export/home
      all:/home/embryo -> embryo.madduck.net:/export/home


Once this is all done, I think the system will rock.

I do have one question on LDAP: Can it be used as a relational
database? For instance, I would like to have a list of systems that
a user may use for login stored for each user. Can I link the systems
out of a different subtree (that I use for system configuration in
step 5), or would I need to duplicate the information?

Or would PostgreSQL be a better albeit not as performant choice in the
first place?

martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
a friend is someone with whom
you can dare to be yourself

Attachment: pgpa9F42tUCBE.pgp
Description: PGP signature

Reply to: