-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/28/2010 02:25 PM, Adam Sommer wrote: > Thanks Andreas for creating openldap-dit. For the last couple of days > I've been testing it, and after a few updates was able to get it to work > on Lucid. As you mentioned there are a lot of ways to create a
Cool! I think the goal should be to get a starting point that helps newbies to at least *see* something when they point an ldap client to the server, and also allow more seasoned admins to build upon that tree. For me, that means: - - we need a database configured (indexes, checkpoints, caches, DB_CONFIG, etc) - - we need a tree root - - seems like ou=People and ou=Group are pretty common and we should also have them at least - - basic ACLs to protect content that is not even there yet (like userPassword, krb5key, samba hashes, etc) - - basic ACLs to allow for group-delegated based administration - - an admin group, with a member for whom we have a password. This member is what the user should use. This concept of administration group resonates quite nicely with the default ubuntu sudo setup. It's because of this group based administration that I chose RFC2307bis, because it allows me to use the refint overlay and automatically update the group memberships if the user is removed from the tree, or has his/her name changed, etc. We can build upon that. A sudo-ldap package, for example, could detect that this tree is in place and offer to: - - add the sudo schema (assuming it was not added by the openldap-dit base package) - - create ou=sudoers and add the group based administration acls (if not part of the default dit) - - perhaps even migrate an existing /etc/sudoers to ldap if so desired (there are scripts for that) The above can all be done dynamically at postinst, because we have cn=config, if the package is installed on the same machine as the ldap server. If not, then it would need ldap credentials to make these changes over the network, but even so it could work. In karmic, openldap-dit triggers a bug in slapd which starts consuming 100% cpu and hangs. I filed a LP bug with a patch, and it was applied to lucid, but not to the karmic package yet (#485026). It's one of the problems (or risks, should I say) of using these many overlays. Sometimes a specific combination of them triggers a bug, like that case. - -- Andreas Hasenack andr...@canonical.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvYdpsACgkQeEJZs/PdwpBZNQCgo637Pw4z/0GHAPIqQnP8T/DH C34AoKAL3ptQ/QxQxHHSR9MYxbA+JifZ =+keB -----END PGP SIGNATURE----- -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam