On Wed, Apr 28, 2010 at 1:55 PM, Andreas Hasenack <andr...@canonical.com>wrote:
> > I think the goal should be to get a starting point that helps newbies to > at least *see* something when they point an ldap client to the server, > and also allow more seasoned admins to build upon that tree. > > For me, that means: > - - we need a database configured (indexes, checkpoints, caches, > DB_CONFIG, etc) > - - we need a tree root > - - seems like ou=People and ou=Group are pretty common and we should also > have them at least > - - basic ACLs to protect content that is not even there yet (like > userPassword, krb5key, samba hashes, etc) > - - basic ACLs to allow for group-delegated based administration > - - an admin group, with a member for whom we have a password. This member > is what the user should use. This concept of administration group > resonates quite nicely with the default ubuntu sudo setup. > > It's because of this group based administration that I chose RFC2307bis, > because it allows me to use the refint overlay and automatically update > the group memberships if the user is removed from the tree, or has > his/her name changed, etc. > > We can build upon that. A sudo-ldap package, for example, could detect > that this tree is in place and offer to: > - - add the sudo schema (assuming it was not added by the openldap-dit > base package) > - - create ou=sudoers and add the group based administration acls (if not > part of the default dit) > - - perhaps even migrate an existing /etc/sudoers to ldap if so desired > (there are scripts for that) > > The above can all be done dynamically at postinst, because we have > cn=config, if the package is installed on the same machine as the ldap > server. If not, then it would need ldap credentials to make these > changes over the network, but even so it could work. > I totally agree I think doing all that for Lucid would be a great thing for new users to OpenLDAP and Ubuntu. > > In karmic, openldap-dit triggers a bug in slapd which starts consuming > 100% cpu and hangs. I filed a LP bug with a patch, and it was applied to > lucid, but not to the karmic package yet (#485026). It's one of the > problems (or risks, should I say) of using these many overlays. > Sometimes a specific combination of them triggers a bug, like that case. > > > Ya, it gets complicated pretty quick once you start adding multiple schemas and acls :-). I guess when that happens the tool should fail gracefully and maybe point to documentation on how to manually add the required objects to your tree. I would really like to see OpenLDAP be a great selling point for Ubuntu Server, and should have time this cycle to help out developing, testing, or whatever needs to be done. -- Party On, Adam
-- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam