[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Understanding LDAP structures



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am struggling to understand the concepts behind ldap databases.  All the 
HOWTOs that I've read seem to start with the assumption that you already 
understand the concept, or you can design your own structure.

Let me explain what I want to do, and perhaps someone can tell me how I should 
structure my ldap database.

I want an ldap server to help me manage the people I know about and to control 
access to my home network. 

There will be several classes of user/access needed.

a)  Admin access - access to me to configure and control things I need my own 
account and access to root.
b)  General family access account - a pseudo account with no password, so that 
the whole family access shared machines (like a win98 family machine) - or 
samba can provide a general fileshare or access to printers
c)  Specific family member accounts - mainly to provide controlled access to 
mail (stored in Unix account home dir/Maildirs) with pop3 and imap login.  
This needs to include me.  I would like these people to have the same 
accounts on a number of linux machines.  I would also like them to be able to 
control the cupsys printer through its web interface by entering the same 
password as the mail accounts.  I will probably also put up webmail at some 
point and want the same access control for that.
d)  General family member accounts - mainly to share my domain name among my 
relatives for mail but to forward the mail on to their normal isp.
e) Groups of people (including family members, but potentially friends as 
well) who I can set up to use ldap to control access to different parts of my 
internal web site.
f)  Groups of people (different possibly from the web access above) who can 
have an account on my main server to have ssh access in through my firewall.  
I would like to be able to store their public ssh keys in the ldap database. 
I do not want them to have general access to any other machines in my network 
(except I want access in and be able to ssh about the internal machines). I 
am thinking here about such things as controlled access to cvs or equivalent 
in an open source project. 
g) A general e-mail address book for the family with e-mail addresses and 
other values.  I would like to synchonise my palm pilot with a subset of it.

I think I can figure out how to use the ldap database for the different 
things, but I must admit I am totally confused about how to set up the data 
that is in it.  Most of the documentation throws around terms like "dn", "dc" 
and "cn" and concepts like objectclasses and top and posixAccount and 
attributes etc as though you already know what they mean and the relationship 
to each other.

How should I structure the database, and what are the relationship between the 
various parts.  

I have installed the debian ldap packages including libpam-ldap and 
libnss-ldap but how to I populate the database and what is the relationship 
between its contents and files like /etc/passwd (which have a whole load more 
accounts than I am particularly interested in).
 
- -- 
Alan Chandler
alan@chandlerfamily.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+oba3uFHxcV2FFoIRAvK5AJ4vuMyu4s244AeIHFICc0ybuIC/UwCgrdIs
m+B2iLPPj47MGn8dOEPLEq8=
=Wh0K
-----END PGP SIGNATURE-----



Reply to: