Re: Understanding LDAP structures
Alan Chandler said:
> However, in the section on configuring the database you list out what you
> have done and what each of the fields mean, but you don't say WHY you
> have done it that way. Without that information I can't design my own
> structure rather than just copy yours.
well I did it that way to get as much info in there as I could.
> ou=people, and
> Now, why are these particular two letters used (ie cn, or ou) and where do
> I find out what they are. If I go to anyone of them there are a whole
> set of parameters set - again I have no idea what they are.
cn is "common name" i think and it defines a ldap object(lack of better
term), the "leaf of a branch", the ou is Organizational unit and defines
a tree branch.
as for what the ou= entries are they can be anything you want them to
be, the roaming ou entrie is intended for use with Netscape roaming
profiles but theres no restriction, you can store netscape roaming profiles
in an ou named "IBM Thinkpads" if you wanted. You can store samba info
in ou=roaming if you want, it just comes down to telling the client apps
where to search for the data they will need.
> What I mean by that is that if I login as root, it will prompt and check
> for a password which it looks up in the ldap server. If I login as
> "alan" then the same password will be looked up.
> So what I want to do is setup a record for me in the ldap server (under
> people?) which somehow links the unix account "root" and the unix account
> "alan" to this record.
I am not sure if openldap can do this. not sure why you would want
to, your saying you want to be logged in as root even though your telling
the system to log you in as alan ?? authenticating offa LDAP is easy
with PAM and NSS, which is explained in detail in my howto, but linking
of entries to other entries I think I remember this as not being supported
in openldap at the moment(at least 2.0.x maybe 2.1.x is different). Though
I think it is technically possible(some other LDAP servers perhaps NDS
can do this).
> I see this as a special entry under people with the name like guest. But
> because here is a difference between this entry and the one from a) above
> would I have to somehow create sub-sections of people in order to have
> different parameters?
yes. what I do is create the first entry then use ldapexplorer to
make new ones, just change the existing data and hit the 'new/add' button.
> I am not so much worried about the mechanisms to support the ldap access -
> although its not set at the moment and I would have to work it through.
> What I don't understand is how to put a record in the database that says
> this particular entry is allowed cups access.
someone else pointed out that cups can be managed by users that belong
to the group lpadmin. Never tried this myself but will eventually that
would be cool if it worked. if this is the case just put them in the
group lpadmin, create a group called lpadmin and add memberUid attributes
with have the usernames of the people to belong to that group(1 memberUid
attribute per username).