[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: using LDAP as a configuration/user management backend

also sprach nate <debian-user@aphroland.org> [2002.10.09.1105 +0200]:
> be aware that openldap's "mirroring" is one-way master->slave not
> slave->master. All updates are required to be performed on the
> master. You can do the updates on the slave, but the commands are
> just passed transparently to the master(cleartext) to be processed
> on the master, then propogated back to the slave.

this sounds fine, as long as there is an easy way to promote a slave
to the master. i actually like this way of replication.

> I would reccomend for best security to only authenticate off the
> slave servers, and do not setup referrers on the slaves. That
> way all of the data accessable by the servers is read only. Worst
> case is the slave perhaps can get curroption but that won't affect
> the master.

this is an interesting idea that i will keep in mind.

> > 2. Move user management to the LDAP tree. Ideally, I want /etc/passwd
> >   to contain no user but root and the various other defaults that Debian
> >   installs. All users for all systems should be placed in
> >   a global LDAP tree, with each user's record specifying what systems
> >   s/he may log in to.
> I've done this. infact I've gone farther by putting all the default
> accounts in ldap too(Even though they aren't really used through ldap).

i don't want that. i want all accounts that i add to be in LDAP and to
have /etc/passwd be managed by Debian. Note that this applies to
groups as well, naturally.

> only way I can think of to have seperate users is to set the 'mail only'
> accounts to have a shell of /dev/null. Or perhaps something else
> like /usr/local/bin/bash, and only make /usr/local/bin/bash available on
> those systems which you want these users to login to. the rest of the
> systems would have no such file.

this sounds like a very unflexible hack. i suppose i could somehow
tweak pam_ldap or an sql pam module to do this...

> postfix can handle it all, what you use for IMAP/POP3 is not important,
> postfix will translate the LDAP account into a local user account,
> the MDA need not know LDAP even exists.

... except that I actually would prefer to have mail-only users not
have local accounts. all they need, after all, is an IMAP hierarchy.
no need for a homedirectory. Then again, the homedirectory approach
will be simpler...

> > 4. Put major user configuration items (like .forward, spamassassin)
> >   into the LDAP tree. I am sure postfix can handle this particular one
> >   somehow, and one can probably hack solutions up for other proggies.
> This I have never tried, though possible, I don't really see any
> advantage to doing it over using a distributed filesystem like AFS
> which you mention your planning on using ?

Mainly because I want people who don't know what a shell is (about 85%
of the users) to have a simple web frontend for configuration. And
before I make modules for .forward and modules for .spamassassin, i'd
much rather just give them their LDAP subtree for complete access. it
scales better.

> > 5. Put major system configuration (postfix, bind9, apt, etc.) into the
> >   LDAP tree.
> haven't tried this either myself. I thought about doing DNS in
> LDAP, I've read about it, but my DNS zone files are setup so nicely..
> so I haven't tried it.

note that this is step 5. so maybe in five years i'll get to it ;^>

> as for relational database, I am not certain what you mean, but

say i have the following table of users with the systems that they may
login to:

  1  peter   { time, gnome, piper, wall }
  2  hans    { seamus, gnome, diamond }
  3  anna    { mother, diamond, wall }

and also a table of systems:

  1  time
  2  gnome
  3  piper
  4  wall
  5  seamus
  6  diamond
  7  mother

in a relational database, the users' table would then look like this:

  1  peter   { 1, 2, 3, 4 }
  2  hans    { 5, 2, 6 }
  3  anna    { 7, 6, 4 }

which has the advantage that information is not duplicated; if
i rename 'gnome' to 'albatros', then i only need to edit one entry.

i am simply wondering if this can be done in ldap.

> if your referring to host based authentication yes you can do this,
> I have not updated my LDAP howto on how to do it but its easy:
> the LDAP entry needs to have an objectClass: account
> then create a 'host' entry. e.g.
> host: mail35.mydomain.com
> 1 host entry per host that user is allowed to login to.
> then in /etc/pam_ldap.conf set this:
> pam_check_host_attr yes

cool. this precisely addresses the problem of restricting specific
users to specific hosts.

> > Or would PostgreSQL be a better albeit not as performant choice in the
> > first place?
> LDAP I think is the way to go for the majority of the stuff, much
> of the software and support is already out there.

yes, that's my impression.

> storing files in LDAP is possible(i've done it through netscape roaming)
> but its by no means easy(IMO), I think you should start basic then
> look into the file storing stuff later.

i wasn't looking for file storage (yet), but it might happen some day.

martin;              (greetings from the heart of the sun.)
  \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
3 kinds of people: those who can count & those who can't.

Attachment: pgpNXEMYwRSxg.pgp
Description: PGP signature

Reply to: