Differences between revisions 16 and 17
Revision 16 as of 2005-08-02 07:41:07
Size: 3967
Editor: anonymous
Comment:
Revision 17 as of 2005-08-02 07:47:04
Size: 4257
Editor: anonymous
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
Lightweight Directory Access Protocol ''Lightweight Directory Access Protocol''

As the name suggests LDAP is a protocol not a database. LDAP uses some backend database which is optimized for reads (such as Berkeley DataBase) to hold the tree it presents, however the distinction is generally not that important and this document may refer to LDAP as if it were the database and protocol both.
Line 18: Line 20:
 * The LDAP server will contain all other hosts, networks, services, and {{{/etc}}} data. This document will describe both using the services and {{{/etc}}} data and not using it but including it for completeness of the LDAP contents.  * The LDAP server will contain all other hosts, networks, services, and {{{/etc}}} data.
   * Rationale:
This may prove useful in large environments, and in any case ensures completeness of the database.

LDAP

Lightweight Directory Access Protocol

As the name suggests LDAP is a protocol not a database. LDAP uses some backend database which is optimized for reads (such as Berkeley DataBase) to hold the tree it presents, however the distinction is generally not that important and this document may refer to LDAP as if it were the database and protocol both.

English LDAP Documentation

Objectives

DanielDickinson 2005-08-02 This is my reworking of the ["LDAPAuthentication"] pages to hopefully be more detailed and coherent. In general I have left the old content, in the event it may be helpful for Debian 3.0 'Woody' (the previous release of Debian as of this writing - -stable is currently 'Debian 3.1 'Sarge').

The previous author has a [http://minkirri.apana.org.au/~abo/projects/ldap-auth/ project] for setting this up on his system where he will chronologically document his efforts. He suggests emailing him at abo@minkirri.apana.org.au if "you want me to put more effort into this wiki. Remember it's a wiki so you can just add your own suggestions, solutions, or queries... the more the better." In the same vein send me WikiMail at DanielDickinson if you have comments or questions. Also, remember you can change these pages as you see fit, this is a wiki after all.

The Ground Rules

The objective of these documents are to have clear, easy to understand instructions on installing and configuring an LDAP server with the following features:

  • The LDAP server will contain all non-system users (i.e. a UID >= 1000)

    • Rationale: System groups are managed by Debian package install scripts using adduser which means packages installed after ldap would not create their required users in the ldap directory.
  • The LDAP server will contain all non-system groups (i.e. a GID >= 1000)

    • Rationale: As with UID. The original author said GID >= 100, however I think that was a typo as my Debian Sarge systems have auto-created users above 100.

  • The LDAP server will contain all other hosts, networks, services, and /etc data.

    • Rationale: This may prove useful in large environments, and in any case ensures completeness of the database.
  • The only special users in LDAP will be the LDAP admin user and the Samba user admin, with no additional "proxy" users.
  • All LDAP special users shall use SSHA crypt.
  • Clients will use NSS with the normal unix PAM module for authentication.
  • Only root will have access to shadow passwords via NSS.
  • The LDAP PAM module will only be used for 'passwd', 'chfn', and 'chsh' updating of LDAP contents.

    • For the Samba configuration use of passwd is deprecated and a Samba-aware alternative preferred.

  • All POSIX passwords shall use ["MD5"] digest hashing.
  • Samba users will also be stored using LDAP.
  • Apache web authentication will be done using LDAP.
  • DNS will be served via LDAP.
  • SSH will not use LDAP (key-based authentication is preferred).
  • The network address book will be ldap-hosted.

Server Setup

  • ["OpenLDAPSetup"]
    • The ["OpenLDAP"] LDAP server
  • ["PowerDNSLdap"]
    • DNS Server with LDAP Backend
  • ["LDAPMigrationTools"]
    • Migrate Authentication and Name Services (NSS) to LDAP

LDAP Management

  • ["LDAPTools"]

Entry Formats

  • Formats for various LDAP entries: ["LDAPFormats"]

Miscellaneous

  • On Distinguished Names: ?LdapDn


. . .


Other English LDAP Documentation on this wiki

LDAP Authentication

  • ["LDAPAuthentication"]

Server Setup

  • ["LDAPMigrationTools"]

Services

NSS, PAM, SSH, and PAM-SAMBA Client Setup

  • ["NSSLDAPSetup"]
  • ["PAMLDAPSetup"]
  • ["SSHLDAPSetup"]
  • ["PAMSAMBALDAPSetup"]

NFS and AutoFS Setup

  • ["NFSServerSetup"]
  • ["AutoFSClientSetup"]

SAMBA Setup

  • ["SAMBAServerSetup"]
  • ["SAMBAClientSetup"]

Using LDAP

  • ["LDAPAuthenticationTools"]


French LDAP Documentation

SSH et LDAP

  • ["DebFrSshLDAP"]

Samba et LDAP

  • ["DebFrSambaLDAP"]

Apache et LDAP

  • ["DebFrLDAP"]