Differences between revisions 17 and 18
Revision 17 as of 2010-07-15 17:36:25
Size: 10324
Editor: ?PetterReinholdtsen
Comment: Draft description of LDAP structure in Lenny.
Revision 18 as of 2010-07-15 17:45:30
Size: 10519
Editor: ?PetterReinholdtsen
Comment: More entries in the suggestion.
Deletions are marked like this. Additions are marked like this.
Line 87: Line 87:
       * dc=intern (SOA entry)
         * dc=_tcp
           * dc=_ldap (SRV entry)
         * dc=ldap (CNAME)
Line 88: Line 92:
       * sambaDomainName=SKOLELINUX
       * cn=smbadmin
Line 89: Line 95:
     * ou=automount

New LDAP structure for Debian Edu

With the development of the Squeeze based version of Debian Edu, work is done to look at the LDAP directory structure used. Part of the background for this is that the traditional web interface to administrate users and computers in LDAP, LWAT, no longer is working, and an alternative is considered.

The LDAP structure in Debian Edu/Lenny

  • dc=skole,dc=skolelinux,dc=no (base for NSS)
    • ou=People (posixAccount entries)
      • ou=Machines (host entries for samba)
    • ou=Group (posixGroup entries)
    • ou=Netgroup
    • ou=Automount
    • ou=Variables
    • ou=Attic
    • ou=hosts (DNS forward and reverse entres for all hosts)
    • cn=dhcp (DHCP server entry with config reference)
    • cn=DHCP Config (DHCP configuration and host entries)
    • ou=Attic
    • ou=Pam (unused)
    • ou=Domains (unused)

A computer / IP device have three or four LDAP objects, two under hosts (forward and reverse DNS and one under DHCP Config (MAC -> DNS name mapping). Samba clients have one object under People->Machines as well.

All users have posixAccount, and their user names might be listed in posixGroup and nisNetgroup objects.

Requirements

  • Need to work with NSS (libnss-ldapd or sssd).
  • Need to work with PowerDNS using LDAP backend.
  • Need to work with ISC DHCP using LDAP backend.

Wishes for the new structure

  • The NSS part of the LDAP tree should be separated into a subtree, to allow LDAP objects to be moved outside this subtree to become invisible in NSS. This is useful when moving users to the attic instead of just removing them to make it easy to restore a disabled/"removed" user when needed. (Why use an attic? Why not use a deleted attribute? - because the default setup for LDAP NSS clients is to look for objectclass=posixaccount without any more filtering, and it is a pain to have to add more filtering to these clients. better to move the object to an unseen part of the LDAP tree [pere 2010-07-09])

  • Having only one LDAP objects for each computer to avoid the possibility of having inconsistent setup for computers in LDAP. At the moment there are several, one DHCP object, one forward DNS object, one reverse DNS object and one Samba host object (are there more?).
  • Allowing several departments/schools to share the same structure while allowing delegation of privileges to the users/groups/computers in each department.
  • Storing LDAP objects for central services separately from the users and groups belonging to schools, to allow access to these to be different from the users and groups.
  • a subtree for people exported in the format specified by the FEIDE project in Norway. It is a federation specification for cross-site authentication.

  • the structure should be as simple as possible, but allow for a more complex / structured setup for schools that want it or for sites administrating several schools using the same LDAP database.
  • The most used setup is afaik having one server for one school, independently from other schools in the same municipality. I would like to have an advanced setup, where the DIT is splitted to several subtrees which are on separate servers in different schools belonging to one municpality, holding the master.

Ideas for a new structure

  • As LDAP is case insensitive, use only one case for all names (lower case?).

Overview what kind of DIT is used in CipUX http://wiki.cipux.org/documentation/dit

I (jever) found today [2010-07-10] this and this diagram describing something we perhaps want. For those who can read German, there are four articles describing the setup shown in the diagrams. The first can be found here. The others are linked from there so everyone interested can find them.

suggestion / idea

This is not ment as a concrete proposal, but instead as a starting point for the discussion (Petter)

  • dc=skole,dc=skolelinux,dc=no
    • ou=unixsystem (NSS clients are pointed to this subtree)
      • ou=netgroups
      • ou=filegroups
      • ou=users
      • ou=ipdevices (computers, printers, etc)
      • ou=school1
        • ou=netgroups
        • ou=filegroups
        • ou=users
        • ou=ipdevices
      • ou=school2
        • ...
      • ou=ipnetworks
    • ou=services
      • ou=kerberos
      • ou=dhcp
      • ou=dns
        • dc=intern (SOA entry)
          • dc=_tcp
            • dc=_ldap (SRV entry)
          • dc=ldap (CNAME)
      • ou=samba
        • sambaDomainName=SKOLELINUX
        • cn=smbadmin
      • ou=mail
      • ou=automount
    • ou=templates
    • ou=attic
      • ou=netgroups
      • ou=filegroups
      • ou=users
    • ou=feide

the ipdevices subtrees should include the host specific information used by DNS, DHCP and Samba. The user object should contain information used by Kerberos and the mail system. the services subtree should only have the common setup. the user and ipdevice specific information should be in the unixsystem subtree.

Overview what kind of DIT is used in CipUX http://wiki.cipux.org/documentation/dit

GOsa² based computer structure

here i paste to differents computers from a GOsa² working environment, the first one is a basic computer with also the dhcp / dns entries, those entries are created when save it clicked on the interface.

dn: cn=compute-node-1-5,ou=workstations,ou=systems,dc=acme,dc=be
gotoNtpServer: vador
cn: compute-node-1-5
ghSoundAdapter: -
gotoLastUser: -
gotoLdapServer: 1:vador:ldap://vador.acme.be:389/dc=acme,dc=be
FAIdebianMirror: http://vador.acme.be/debian/
gotoXColordepth: 8
gotoXKbLayout: fr
gotoXKbVariant: nodeadkeys
gotoXMouseport: /dev/input/mice
goFonHardware: automatic
objectClass: top
objectClass: gotoWorkstation
objectClass: GOhard
objectClass: FAIobject
macAddress: 00:1c:c4:97:72:18
gotoXResolution: 1280x1024
ghCpuType: AuthenticAMD / Dual-Core AMD Opteron(tm) Processor 8220 - 2813.052
gotoXKbModel: pc104
ghGfxAdapter: ATI ES1000 515E
ghMemSize: 16473316
gotoXMouseType: explorerps/2
ghUsbSupport: true
gotoXHsync: 30-95
gotoXDriver: radeon
gotoXVsync: 40-100
gotoXMonitor: Smart Cable
gotoHardwareChecksum: EzzPkhDW6YB+9spP+ixamA
gotoBootKernel: linux-image-2.6-amd64
FAIclass: NOEUD-BASE :squeeze
FAIstate: install
ipHostNumber: 10.151.53.135
description:: T3B0ZXJvbiBxdWFkcmktcHJvIG7CsDU=
gotoMode: locked
ghIdeDev: TSSTcorpCDW/DVD TS-L462D
ghNetNic: Broadcom NetXtreme II BCM5706 Gigabit Ethernet
gotoModules: amd74xx
gotoModules: ata_generic
gotoModules: aufs
gotoModules: auth_rpcgss
gotoModules: bnx2
gotoModules: cciss
gotoModules: cdrom
gotoModules: exportfs
gotoModules: fan
gotoModules: fscache
gotoModules: hid
gotoModules: ib_mad
gotoModules: ide_cd_mod
gotoModules: ide_core
gotoModules: ide_generic
gotoModules: ide_pci_generic
gotoModules: ipmi_msghandler
gotoModules: ipmi_si
gotoModules: joydev
gotoModules: k8temp
gotoModules: libata
gotoModules: lockd
gotoModules: nfs
gotoModules: processor
gotoModules: psmouse
gotoModules: serio_raw
gotoModules: shpchp
gotoModules: soundcore
gotoModules: sunrpc
gotoModules: thermal
gotoModules: thermal_sys
gotoModules: uhci_hcd
gotoModules: usbhid

dn: cn=compute-node-1-5,cn=dhcp,cn=vador,ou=servers,ou=systems,dc=acme,dc=be
dhcpOption: host-name compute-node-1-5
dhcpStatements: fixed-address 10.10.53.135
cn: compute-node-1-5
objectClass: top
objectClass: dhcpHost
dhcpHWAddress: ethernet 00:1c:c4:97:72:18

dn: relativeDomainName=compute-node-1-5,zoneName=hpslab.acme.be.
,cn=vador,ou=servers,ou=systems,dc=hpslab,dc=acme,dc=be
objectClass: top
objectClass: dNSZone
dNSClass: IN
zoneName: hpslab.acme.be.
relativeDomainName: compute-node-1-5

dn: relativeDomainName=compute-node-1-5,relativeDomainName=compute-node-1-5,
zoneName=hpslab.acme.be.,cn=vador,ou=servers,ou=systems,dc=hpslab,dc=acme,dc=be
objectClass: top
objectClass: dNSZone
dNSClass: IN
zoneName: hpslab.acme.be.
relativeDomainName: compute-node-1-5
aRecord: 10.10.53.135

The second one is a server

dn: cn=vador,ou=servers,ou=systems,dc=hpslab,dc=acme,dc=be
cn: vador
macAddress: 00:1b:78:37:38:0e
gotoMode: locked
gotoSysStatus: new-system
ghNetNic: Hewlett-Packard Company HP 110T PCIe Gigabit Server Adapter
ghCpuType: GenuineIntel / Intel(R) Xeon(R) CPU 5160 @ 3.00GHz - 2999.963
gotoXKbModel: pc104
ghGfxAdapter: ATI ES1000 515E
ghMemSize: 10267704
gotoXMouseType: explorerps/2
ghUsbSupport: true
gotoXHsync: 30+50
gotoXDriver: radeon
gotoXVsync: 30+90
gotoHardwareChecksum: V4KCoPLkQgGtJ6eYH7FnNA
ghIdeDev: HL-DT-ST DVDRAM GSA-T20L
dhcpServiceDN: cn=dhcp,cn=vador,ou=servers,ou=systems,dc=hpslab,dc=acme,dc=be
description: frontal cluster hpslab
FAIstate: install
FAIdebianMirror: auto
ipHostNumber: 10.10.53.160
gotoBootKernel: default
gotoModules: auth_rpcgss
gotoModules: crc_t10dif
gotoModules: edac_core
gotoModules: exportfs
gotoModules: i5k_amb
gotoModules: ib_mad
gotoModules: ide_core
gotoModules: ide_gd_mod
gotoModules: ipmi_msghandler
gotoModules: ipmi_si
gotoModules: loop
gotoModules: lp
gotoModules: reiserfs
gotoModules: sd_mod
gotoModules: serio_raw
gotoModules: sg
gotoModules: shpchp
gotoModules: sr_mod
gotoModules: thermal
goTimeSource: 130.58.102.1
FAIrepository: http://vador.acme.be/debian/|debian.acme.be|squeez
 e|main,contrib,non-free
FAIrepository: http://vador.acme.be/debian/|debian.acme.be|lenny|
 main,contrib,non-free
FAIrepository: http://vador.acme.be/debian-security/|debian.acme.be|lenny/updates|main,contrib,non-free
objectClass: GOhard
objectClass: top
objectClass: goServer
objectClass: gotoWorkstationTemplate
objectClass: FAIobject
objectClass: dhcpServer
objectClass: FAIrepositoryServer
objectClass: goLdapServer
objectClass: goNtpServer
goLdapBase: ldap://vador.acme.be:389/dc=hpslab,dc=acme,dc=be