From: Roel van Meer > Edward Wildgoose wrote: >> > I am at the planning stage of an LDAP deployment, having user >> accounts, PAM, Courier IMAP, Postnuke and Postfix authentication via >> LDAP >> > I would be really keen to hear a basic overview of the issues >> > involved >> in planning this, and where to go for further info. For example where >> to go to find out about Schemas required, how to plan a domain layout >> (I have one machine supporting two mail domains...). This is only >> going to support a few users, but might grow to multiple machines at >> some point
I also am new to LDAP design, so I'm looking for confirmation/correction, not neccessarily suggesting anyone do the same things I have done/will do. Edward, a good book I've used: Understanding and Deploying LDAP Directory Services, ISBN: 1-57870-070-1. It is very thorough: I only needed about half the book. The book is geared toward large enterprise implementations, but still works for us little enterprises. ;-) Sometimes the software seems to drive the design of the directory. Courier-IMAP expects certain things, other packages require certain attributes. I had to investigate each application's specific LDAP ability, to get it together. > > Well' it all depends on what you want. Often, it is wise to determine > what information is > a) unlikely to change > b) representing your system > > For example, if the users on your system will always be receiving mail > for only one of the domains, it might be wise to create a branch for > each domain, and create a branch for the users below those. > > If a user may receive mail for addresses under both domains, or none, > you should's seperate them per domain. In my installation, a user may receive mail in multiple domains. Those users simply have a "mail" attribute with multiple values. Courier doesn't like multi-valued attributes, but is okay, in this case, since the "mail" attribute is only used to search, not for populating the auth structure. In general, a user in the system I admin may use one or several of the applications/features controlled under LDAP. For this reason, I put all users at the same level under ou=people,dc=example,dc=com. Anything differentiating them must be controlled by attributes in their DN, or membership in a DN under ou=groups,dc=example,dc=com. Groups will also be used to determine which web sites they can log in to. > The same thing you can think of when decideing about types of users. In > our own systems, we usually split up real unix users from mail or ftp > users. That is to make sure unix users (which are required to login > with ssh) will not use the same password or account as the use for > insecure pop3 or ftp sessions. In this case we have two branches, one > for 'real' users, one for virtual users. What we generally do with > users for What about having multiple password attributes under the same DN, like a securePassword and a clearPassword? e.g. Courier-IMAP can be configured to use either a clear text or encrypted password attribute of your choice, if you are not using LDAP_AUTHBIND. I suppose authentication by binding using both passwords would not be possible. > proftpd, is to link them to a dns domain, determine their homedirectory > from that domain name, and have apache automatically determine their > homedirectory and website from it.. > > i'll post some example entries soon.. > > Regards, > rolek > -- > 1A First Alternative <EMAIL: PROTECTED> http://www.alt001.com > Linvision BV <EMAIL: PROTECTED> (www|devel).linvision.com > -- Kelvin -- http://www.ithorn.org/ -- life is like an analogy. _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
