Differences between revisions 8 and 9
Revision 8 as of 2010-07-10 17:02:10
Size: 3938
Editor: KurtGramlich
Comment: Overview what kind of DIT is used in CipUX
Revision 9 as of 2010-07-10 18:37:24
Size: 4054
Editor: ?PetterReinholdtsen
Comment: Add samba services subtree, and move cipu xreference up to the reference section.
Deletions are marked like this. Additions are marked like this.
Line 31: Line 31:
Overview what kind of DIT is used in CipUX http://wiki.cipux.org/documentation/dit
Line 51: Line 53:
     * kerberos
     * dhcp
     * dns
     * mail
     * ou=kerberos
     * ou=dhcp
     * ou=dns
     * ou=samba
     * ou=
mail

New LDAP structure for Debian Edu

With the development of the Squeeze based version of Debian Edu, work is done to look at the LDAP directory structure used. Part of the background for this is that the traditional web interface to administrate users and computers in LDAP, LWAT, no longer is working, and an alternative is considered.

Wishes for the new structure

  • The NSS part of the LDAP tree should be separated into a subtree, to allow LDAP objects to be moved outside this subtree to become invisible in NSS. This is useful when moving users to the attic instead of just removing them to make it easy to restore a disabled/"removed" user when needed. (Why use an attic? Why not use a deleted attribute? - because the default setup for LDAP NSS clients is to look for objectclass=posixaccount without any more filtering, and it is a pain to have to add more filtering to these clients. better to move the object to an unseen part of the LDAP tree [pere 2010-07-09])

  • Having only one LDAP objects for each computer to avoid the possibility of having inconsistent setup for computers in LDAP. At the moment there are several, one DHCP object, one forward DNS object, one reverse DNS object and one Samba host object (are there more?).
  • Allowing several departments/schools to share the same structure while allowing delegation of privileges to the users/groups/computers in each department.
  • Storing LDAP objects for central services separately from the users and groups belonging to schools, to allow access to these to be different from the users and groups.
  • a subtree for people exported in the format specified by the FEIDE project in Norway. It is a federation specification for cross-site authentication.

  • the structure should be as simple as possible, but allow for a more complex / structured setup for schools that want it or for sites administrating several schools using the same LDAP database.

Ideas for a new structure

  • As LDAP is case insensitive, use only one case for all names (lower case?).

Overview what kind of DIT is used in CipUX http://wiki.cipux.org/documentation/dit

I (jever) found today [2010-07-10] this and this diagram describing something we perhaps want. For those who can read German, there are four articles describing the setup shown in the diagrams. The first can be found here. The others are linked from there so everyone interested can find them.

suggestion

  • dc=skole,dc=skolelinux,dc=no
    • ou=unixsystem (NSS clients are pointed to this subtree)
      • ou=netgroups
      • ou=filegroups
      • ou=users
      • ou=ipdevices (computers, printers, etc)
      • ou=school1
        • ou=netgroups
        • ou=filegroups
        • ou=users
        • ou=ipdevices
      • ou=school2
        • ...
      • ou=ipnetworks
    • ou=services
      • ou=kerberos
      • ou=dhcp
      • ou=dns
      • ou=samba
      • ou=mail
    • ou=templates
    • ou=attic
      • ou=netgroups
      • ou=filegroups
      • ou=users
    • ou=feide

the ipdevices subtrees should include the host specific information used by DNS, DHCP and Samba. The user object should contain information used by Kerberos and the mail system. the services subtree should only have the common setup. the user and ipdevice specific information should be in the unixsystem subtree.

Overview what kind of DIT is used in CipUX http://wiki.cipux.org/documentation/dit