heya, On Wednesday 15 June 2005 19:16, Kenny Mann wrote: > I'm planning on implementing LDAP (just to play -- I've done the same in > MySQL already) > I'd like to do virtual hosting, which would involve Apache and Postfix. > For now, I'm researching the Postfix stuff. > I have 'Deploying OpenLDAP by Tom Jackiewicz' and an O'Reilly one as well, > but they don't explain it in enough detai lthat I understand it. > I'm thinking I need to make the top container an organization and add > domains below that, but not 100% certain of how. > The question I have is can someone point me a direction as to where I can > learn the structure and meanings of the dc, ou, etc so I can figure out the > layout of the DIT?
I currently have the following setup: postfix - uses ldap for authentication with smtp-auth and mail routing. cyrus - postfix backends into it, uses ldap for authentication apache - uses ldap for authentication pam - uses ldap for authentication and so on, basically every single service in my network uses ldap for authentication. As you rightly point out structuring the DIT is the key. Unfortunately in my experience there arn't too many books that are actually useful for designing the DIT itself, although they are very handy for actually understanding how LDAP works. My suggestion is to hang in #ldap on freenode and ask people there but fwiw here is how I do it. Basically I see two main ways of implementing DITs, either you have lots of "groups" that you make people members of and then you filter based on group membership OR you have users that have lots of different attributes and you filter on attributes. Personally I prefer the group based setup as it means that to find who can access something I can just check a group (less onerous on the LDAP server as I don't have to traverse the entire DIT) but YMMV. In effect my DIT looks like this: ou=group,dc=disciplina,dc=net in here I have actual groups like cn=webmail and I make all people I want to have access to webmail a member of this group. ou=people,dc=disciplina,dc=net in here I have normal users. Generally speaking I try NOT to give users authorization attributes, instead I just use these for authentication, ie did they get the password correct. ou=hosts,dc=disciplina,dc=net in here I create an entry for each of my machines and have pam check membership of a machine to see if someone is allowed to ssh into the machine ou=services,dc=disciplina,dc=net in here I have a top level entry for each of the services that I use, eg ou=postfix,ou=services,dc=disciplina,dc=net Under this part of the dit I then have the superior zones eg: dc=net,ou=postfix,ou=services,dc=disciplina,dc=net net is a object class dNSDomain and then I have each of the domains (that end in .net) associated in here and this is what postfix looks up against for the actual mail routing to determine where to send things for a given domain (assuming that I host it). I have some other entries but those are the main one relevant to your question I think. b -- Benjamin Smee (strerror) 497F 5E98 1FA0 C313 EA0B 08C7 004A 66ED 448B E78C
pgp5ec29EZbjF.pgp
Description: PGP signature
