Understanding LDAP structures
-----BEGIN PGP SIGNED MESSAGE-----
I am struggling to understand the concepts behind ldap databases. All the
HOWTOs that I've read seem to start with the assumption that you already
understand the concept, or you can design your own structure.
Let me explain what I want to do, and perhaps someone can tell me how I should
structure my ldap database.
I want an ldap server to help me manage the people I know about and to control
access to my home network.
There will be several classes of user/access needed.
a) Admin access - access to me to configure and control things I need my own
account and access to root.
b) General family access account - a pseudo account with no password, so that
the whole family access shared machines (like a win98 family machine) - or
samba can provide a general fileshare or access to printers
c) Specific family member accounts - mainly to provide controlled access to
mail (stored in Unix account home dir/Maildirs) with pop3 and imap login.
This needs to include me. I would like these people to have the same
accounts on a number of linux machines. I would also like them to be able to
control the cupsys printer through its web interface by entering the same
password as the mail accounts. I will probably also put up webmail at some
point and want the same access control for that.
d) General family member accounts - mainly to share my domain name among my
relatives for mail but to forward the mail on to their normal isp.
e) Groups of people (including family members, but potentially friends as
well) who I can set up to use ldap to control access to different parts of my
internal web site.
f) Groups of people (different possibly from the web access above) who can
have an account on my main server to have ssh access in through my firewall.
I would like to be able to store their public ssh keys in the ldap database.
I do not want them to have general access to any other machines in my network
(except I want access in and be able to ssh about the internal machines). I
am thinking here about such things as controlled access to cvs or equivalent
in an open source project.
g) A general e-mail address book for the family with e-mail addresses and
other values. I would like to synchonise my palm pilot with a subset of it.
I think I can figure out how to use the ldap database for the different
things, but I must admit I am totally confused about how to set up the data
that is in it. Most of the documentation throws around terms like "dn", "dc"
and "cn" and concepts like objectclasses and top and posixAccount and
attributes etc as though you already know what they mean and the relationship
to each other.
How should I structure the database, and what are the relationship between the
I have installed the debian ldap packages including libpam-ldap and
libnss-ldap but how to I populate the database and what is the relationship
between its contents and files like /etc/passwd (which have a whole load more
accounts than I am particularly interested in).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----