Hello,
I recently started to work as a systems administrator in a small
municipality (4000 people) in Norway.
Totally there are 5 schools with about 450 pupils and 50 teachers. The
two largest schools are located next to each other and connected with a
WLAN link. I plan to implement user accounts for the pupils from grade 5
and up and will share a LDAP server between the 2 schools.
Currently I have a experimental setup with a DIT like this:
dc=vagaskulen,dc=no is the root of the DIT
ou=people : All users (use the nis schema)
ou=groups : All groups
I may also add teachers to the directory later on to implement shared
filesystems (currently they use laptops with one local useraccount)
How would you structure such a DIT? Would you separate the users by
site? what about pupils and teachers? should they be separated in their
own ou? When the pupils reach grade 7 they will change school, that
calls for a flat structure so that I do not have to move them around,
maybe something like:
ou=People that is split in:
ou=Teachers and ou=Pupils
is a suitable setup?
What advantages will a deeper structure (People and Group entries
separated by site) have?
So my next issue, Security:
I plan to do the following:
- Use SSL/TLS between the clients and the server running openLDAP
- Use anonymous binding
- use a simple ACL like this:
"access to attrs=userPassword
by * auth
access to *
by * read"
Is that a reasonable setup as long as I get the SSL setup correct?
Best regards,
Erling
---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
