DefaultLDAPDITForUserGroupMgmt
Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.
Launchpad Entry: ldap-defaultdit-usergrp-mgmt
Packages affected:
Summary
The spec describes a default LDAP DIT to manage Users and Groups using an Ubuntu Server.
Release Note
Rationale
Installing the default openldap package requires a lot of manual steps to get a complete directory infrastructure up and running. Setting up the directory structure requires knowledge about schemas and ldap trees. Let's provide a default DIT to handle the common use case of managing User and Groups with an LDAP infrastructure using Ubuntu Server as the LDAP server.
Use Cases
- Andrew installs an ldap server on ubuntu. After answering basic questions during the installation of the package, he has a default LDAP infrastructure ready to manage Users and Groups. He can setup others systems in his network to authenticate against his new ldap directory.
Assumptions
User and Group management tools are not covered by this specification.
Design
A default layout suitable for user and group management in a unix environment will be provided:
Schemas available by default
- Unix account information:
- inetorgperson.schema
- nis.schema
DIT layout
- dc=example,dc=com
- ou=People
- uid=username
- ou=Groups
- cn=groupname
- ou=People
Windows networking support
samba can use ldap as backend to store user and machine account information. It uses a samba.schema file available in the samba package.
DIT Layout
The following changes are needed:
- New container for Computer accounts:
- dc=example, dc=com
- ou=Computers
- dc=example, dc=com
- New sambaDomain object for domain information:
- dc=example, dc=com
- ou=Services
sambaDomainName=ExampleDomain (sambaDomain objectClass)
- ou=Services
- dc=example, dc=com
- Additional objectClasses for User accounts:
- sambaSamAccount
- Additional objectClasses for Groups:
- sambaGroupMapping
Kerberos support
MIT can use ldap as a backend for their kdb. It uses a kerberos.schema file available in the MIT package.
DIT Layout
The following changes are needed:
- New krbContainer container for all the realms in a tree:
- dc=example, dc=com:
- ou=Services
- dc=example, dc=com:
- New krbRealmContainer entries to hold realm specific data:
- dc=example, dc=com:
- ou=Services
cn=ExampleRealm (krbRealmContainer objectClass)
- ou=Services
- dc=example, dc=com:
Implementation
Openldap 2.4 will be used as the ldap server.
A new package, ubuntu-default-dit, will create the DIT structure outlined above. It will use the cn=config infrastructure to install additional schemas and then create a new db backend to hold the new tree. Editing the slapd configuration shouldn't be needed.
The sambak5pwd overlay will be loaded by default to keep unix, samba and kerberos authentication information synchronised. However the overlay is designed to support Heimdal. Changes may need to be done to support MIT KDB.
Outstanding Issues
- Should we try to provide optional support in the DIT for Windows Networking and Kerberos via different packages (eg ubuntu-samba-dit, ubuntu-kerberos-dit) ?
- How should Samba Idmapping be handled ?
Resources
Mac OS X Server 10.5 Open Directory
- Details Apple's DIT, e.g. uid=username,cn=users
BoF agenda and discussion
DefaultLDAPDITForUserGroupMgmt (last edited 2008-08-06 16:15:55 by localhost)