Re: Understanding LDAP structures

To: <debian-user@lists.debian.org>
Subject: Re: Understanding LDAP structures
From: "nate" <debian-user@aphroland.org>
Date: Sat, 19 Apr 2003 14:31:46 -0700 (PDT)
Message-id: <[🔎] 58386.10.10.10.7.1050787906.squirrel@webmail.linuxpowered.net>
In-reply-to: <[🔎] 200304192151.03970.alan@chandlerfamily.org.uk>
References: <[🔎] 200304192151.03970.alan@chandlerfamily.org.uk>

> I am struggling to understand the concepts behind ldap databases.  All the
>  HOWTOs that I've read seem to start with the assumption that you already
> understand the concept, or you can design your own structure.

have you seen mine ?

http://howto.aphroland.de/HOWTO/LDAP

I try to explain it in great detail.

> a)  Admin access - access to me to configure and control things I need my
> own  account and access to root.
> b)  General family access account - a pseudo account with no password, so
> that  the whole family access shared machines (like a win98 family
> machine) - or  samba can provide a general fileshare or access to printers
> c)  Specific family member accounts - mainly to provide controlled access
> to  mail (stored in Unix account home dir/Maildirs) with pop3 and imap
> login.   This needs to include me.  I would like these people to have the
> same  accounts on a number of linux machines.  I would also like them to
> be able to  control the cupsys printer through its web interface by
> entering the same  password as the mail accounts.  I will probably also
> put up webmail at some  point and want the same access control for that.

everything above is easy except cups, I haven't investigated much
but the only way that cups is allowed to be controlled by default is
with the root password. maybe cups can support PAM, not sure.

> I think I can figure out how to use the ldap database for the different
> things, but I must admit I am totally confused about how to set up the
> data  that is in it.  Most of the documentation throws around terms like
> "dn", "dc"  and "cn" and concepts like objectclasses and top and
> posixAccount and  attributes etc as though you already know what they mean
> and the relationship  to each other.

my howto covers those concepts for the most part. Pretty much everything
you want to do is possible with LDAP, though the one questionmark other
then cups is storing SSH keys in LDAP, I wouldn't reccomend this. Unless
you somehow have a version of SSH that can extract keys from LDAP
automatically(in which case send me a copy).

don't expect to have such a system in place overnight, it will take
some time to learn how things work. check out my howto, get your
database up, get PAM and NSS running, get postfix or whatever MTA you
prefer(postfix is covered in my howto) talking to LDAP..check out the
host acl section for restricting access to hosts/services..


> I have installed the debian ldap packages including libpam-ldap and
> libnss-ldap but how to I populate the database and what is the
> relationship  between its contents and files like /etc/passwd (which have
> a whole load more  accounts than I am particularly interested in).

I strongly reccomend recompiling all of the packages with SSL support,
this too is covered in my howto, though be sure to get the source
packages from security.debian.org not the normal distribution sites
since they were updated a few months ago.

and of course if you have questions or have feedback, almost all of
the pages on my howto site allow users to post comments.

nate

Reply to:

Follow-Ups:
- Re: Understanding LDAP structures
  - From: Jamie Lawrence <jal@jal.org>
- Re: Understanding LDAP structures
  - From: Alan Chandler <alan@chandlerfamily.org.uk>
- Re: Understanding LDAP structures
  - From: Kevin McKinley <ronin2@bellatlantic.net>

References:
- Understanding LDAP structures
  - From: Alan Chandler <alan@chandlerfamily.org.uk>

Prev by Date: sudden (and selective) autism
Next by Date: xv saving as smaller size
Previous by thread: Understanding LDAP structures
Next by thread: Re: Understanding LDAP structures
Index(es):
- Date
- Thread