[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Understanding LDAP structures

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 19 Apr 2003 10:31 pm, nate wrote:

>
> http://howto.aphroland.de/HOWTO/LDAP

Yes - one of the clearer ones.  But I note you seem to be having some 
conceptial problems  - you say you are not really sure what objectClass is 
all about.

However, in the section on configuring the database you list out what you have 
done and what each of the fields mean, but you don't say WHY you have done it 
that way.  Without that information I can't design my own structure rather 
than just copy yours.

I also think I am getting confused between information that defines the 
structure and the actual records themselves. 

So far I have set up whats there with standard debian install.  This asks me 
what the base suffix is, and thats set

dc=chandlerfamily, dc=org, dc=uk

I can now browse what I have with gq and this seems to have three sub sections 
below this.  There are

cn=admin
ou=people, and
ou=roaming

Now, why are these particular two letters used (ie cn, or ou) and where do I 
find out what they are.  If I go to anyone of them there are a whole set of 
parameters set - again I have no idea what they are.

Now if I am to extend beyond whats there and add new sections, then I 
obviously need to understand enough of whats there and why so that I can add 
my bits.

I wrote the following things I am trying to do ...
> > a)  Admin access - access to me to configure and control things I need my
> > own  account and access to root.

What I mean by that is that if I login as root, it will prompt and check for a 
password which it looks up in the ldap server.  If I login as "alan" then the 
same password will be looked up. 

So what I want to do is setup a record for me in the ldap server (under 
people?) which somehow links the unix account "root" and the unix account 
"alan" to this record. 



> > b)  General family access account - a pseudo account with no password, so
> > that  the whole family access shared machines (like a win98 family
> > machine) - or  samba can provide a general fileshare or access to
> > printers

I see this as a special entry under people with the name like guest.  But 
because here is a difference between this entry and the one from a) above 
would I have to somehow create sub-sections of people in order to have 
different parameters?



 
> > c)  Specific family member accounts - mainly to provide
> > controlled access to  mail (stored in Unix account home dir/Maildirs)
> > with pop3 and imap login.   This needs to include me.  I would like these
> > people to have the same  accounts on a number of linux machines.  I would
> > also like them to be able to  control the cupsys printer through its web
> > interface by entering the same  password as the mail accounts.  I will
> > probably also put up webmail at some  point and want the same access
> > control for that.
>
> everything above is easy except cups, I haven't investigated much
> but the only way that cups is allowed to be controlled by default is
> with the root password. maybe cups can support PAM, not sure.

I am not so much worried about the mechanisms to support the ldap access - 
although its not set at the moment and I would have to work it through. What 
I don't understand is how to put a record in the database that says this 
particular entry is allowed cups access.

...

and so on -
- -- 
Alan Chandler
alan@chandlerfamily.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+ojwruFHxcV2FFoIRAkDLAKChqU9Q+1dafqBB5JL68+5AH/RrBACgtdLn
VmehdxwDrZwE/i3sFYZAZ1Y=
=rN47
-----END PGP SIGNATURE-----
Reply to: