ke, 2010-04-28 kello 14:32 -0300, Andreas Hasenack kirjoitti: > Having said that, I would certainly be interested in problems with my > DIT and phpldapadmin or any other tool out there. I can think of one > already which might break stuff out there, and that is the choosing of > groups I made which follows RFC2307bis, and not RFC2307. Not all tools > can cope with that (like smbldaptools, although it's trivial to fix it).
Lately I've been involved in creating OpenLDAP DIT for schools running on Lucid and one thing that I've been wondering is whether it would be possible to define one standard structure for Ubuntu that all tools would be configured to use by default. That wouldn't take away the possibility of configuring everything differently, but all tools and tutorials would follow this one model. Out of curiosity I checked what the defaults are in different systems. If I got things written down correctly, the different default structures I could find were: Hardy slapd package init script and OpenDS: * ou=People * ou=Groups smbldap-tools: * ou=Users * ou=Groups * ou=Computers * ou=Idmap openldap-dit and openldap-mandriva-dit are based on RFC2307bis: * ou=People * ou=Group * ou=Hosts * ou=System Accounts * ou=System Groups * ou=Kerberos Realms * ou=Idmap * ou=Address Book Fedora / FreeIPA uses something completely different: * cn=users,cn=accounts * cn=groups,cn=accounts * cn=computers,cn=accounts * cn=services,cn=accounts * cn=account inactivation,cn=accounts * cn=Kerberos Now different tools have different defaults and tutorials use randomly some names that probably confuse many people. Having one standard DIT that is installed by default would help a lot with external applications that are not packaged for Ubuntu. For example Moodle that is used in schools can use LDAP, but it needs to be configured properly. Writing a guide for that gets a lot easier if standard structure is available. > In fact, one of the things we talked about in the past UDSs, and which > was done on the slapd package, is to make it so that other packages > could hook into slapd and fill it with their schema and trees. This is > possible because of the LDAPI authentication we have in place, which > maps root (unix id 0) to the ldap admin, so any client that runs as root > and connects to the LDAPI socket will be the ldap admin. Thus a package > would be able to, say, inspect the existing schema, upload its own, etc. > Think about that pdns-backend-ldap package asking in its postinst > permission to configure the locally running ldap server for its needs, > for example (with the default answer being "no, don't do that"). > While some (most?) seasoned ldap admins would run away crying just by > the thought of that, surely LDAP newbies would appreciate it. As I wasn't aware of openldap-dit until recently, I've been working on a script to initialise slapd w/ssl and mit kerberos. The idea is that the script first checks which schemas and modules are installed and then adds the missing schemas and modules and configures them. It makes also possible to dump current configuration and check for common problems with ssl certificates and such. I try to get it uploaded somewhere soon so that others can see if it'd be helpful. Automatically loading the schemas sounds good, but how to configure overlays and ACLs for everything is something that would probably need some other solution. E.g. we have some needs for ACLs that probably don't make sense outside schools, but are needed for us as we have school districts, schools, superusers, school admins, teachers, pupils, etc.. Veli-Matti -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam