Look in red hat docs. There you can find a lot of advices on schema writing. But writing a schema is one thing but app to use it is another issue.
Greg. Send from htc desire z 17-08-2012 08:27, "Ray" <[email protected]> napisał(a): > Am 16.08.2012 20:16, schrieb Stephen Ingram: > >> On Thu, Aug 16, 2012 at 10:27 AM, Ray <[email protected]> wrote: >> >>> Am 16.08.2012 19:03, schrieb Stephen Ingram: >>> >>> On Thu, Aug 16, 2012 at 9:33 AM, Ray <[email protected]> wrote: >>>> >>>>> >>>>> Hi, >>>>> >>>>> I posted this before without getting a response. I think the question >>>>> is >>>>> super simple to answer for LDAP experts. I'll try to rephrase the >>>>> quiestion >>>>> (in case it was unclear before...) >>>>> >>>>> I've geen googling quite a while on this topic trying all sorts of >>>>> keyword >>>>> combinations and found exactly nothing. >>>>> >>>>> LDAP appears to be commonplace, almost every server software I can >>>>> think >>>>> of >>>>> comes with an LDAP authentication module. The services that use the >>>>> directory may need have different user bases (i.e. not every Linux user >>>>> needs to be an IMAP user also and not every IMAP user should >>>>> automatically >>>>> be able to SSH into servers). >>>>> >>>>> What is the right way to achieve the above?: >>>>> >>>>> 1) Have separate LDAP instances running, one for IMAP, the other one >>>>> for >>>>> Linux authentication. As there are some users that need both IMAP and >>>>> Linux >>>>> access, some users would need to be set up twice. >>>>> >>>>> 2) Have all users in one LDAP instance, and have different sets of >>>>> attributes for IMAP and Linux authentication. Those users with IMAP >>>>> access >>>>> have their IMAP attributes filled in and those with Linux logins have >>>>> their >>>>> posix account settings filled with values. Some would have both. I do >>>>> not >>>>> see how to assign different passwords for the two services for this >>>>> option. >>>>> Is there a way? >>>>> >>>>> Are there any other options? >>>>> >>>> >>>> >>>> Generally the whole purpose of using a directory server (LDAP) is to >>>> benefit from centralized and consistent configuration and >>>> authentication. As such, most setups use the same user base for >>>> everything (in your case IMAP access and shell logins). You just need >>>> to point each service (login and IMAP) to your directory and filter >>>> based on the existence of certain attributes. For example, only users >>>> with the objectclass=mailRecipient would be allowed to login to your >>>> IMAP mail store. This can easily be accomplished through the >>>> authentication system of your IMAP software (one that supports LDAP >>>> authentication). >>>> >>>> Steve >>>> >>> >>> >>> Many thanks for these insights, Steve! >>> >>> There are two more questions I have: >>> >>> * Is mailRecipient defined somewhere (schema?) or are these objectClasses >>> free for me to choose? >>> >> >> mailRecipient is already defined as part of the old Netscape mail >> server schemas. I'm not sure if it's included in the default 389ds or >> not. Ultimately, you can roll your own schemas, however, it not always >> an easy task, and, thus many times easier to use an already available >> schema. >> > > Ok, I see. Rich: also thanks for your reply on this. > > * Is there a way to have separate passwords for IMAP? Specifically I would >>> like to run Cyrus-imap. >>> >> >> No, there can only be one userpassword attribute. Out of curiosity, >> why would you want your users to have to use different passwords for >> each service? That sort of disposes of the whole idea of using LDAP >> auth to begin with. And, yes, Cyrus-IMAP works perfectly with LDAP >> authentication. >> > > Steve & Rich: > > I prefer different passwords because of security concerns: If a user (with > both IMAP and SSH access) hacks his/her mail password into a comprimised > box (keylogger, for instance, internet café...), then the expected damage > would be limited to the mail account only. If the same password works for > SSH also, then it's possible to screw up all files of that user; worse > even, if there is some rights-elevation bug around at the time - then the > entire box might be at risk. > > Getting a second set of userpassword attributes then either would require > me to run a second instance, or I would have to resort to the likes of > sasldb for the mail side of things... > > Would there be a way to patch some schema file with an extra password > attribute ("mailuserpassword")? I have absolutely no clue about schema > writing though... is there something you can recommend me to read (book, > website, ...) on this topic? > > Cheers, > Ray > -- > 389 users mailing list > [email protected].**org <[email protected]> > https://admin.fedoraproject.**org/mailman/listinfo/389-users<https://admin.fedoraproject.org/mailman/listinfo/389-users>
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
