I have a multi master LDAP+SSL+Host based ACL's, password Policy and Sudo rights system working fine, my question is more related to how do I organise my LDAP system.
Here is situation
1 - my domain example.com holds all my admin users and groups
for example and all clients authenticate to this ldap server.
What I'd like to do now is have multiple sub organisational units, for example Lab A and Lab B.
which would contain the users, groups, sudo rights etc for each Lab.
So I'm assuming my DN would be something like
How do setup Lab A's servers to only authenticate to Lab A's users, groups etc, without search any of Lab B's but of course still have all my admin users and groups have access to both A and B?
I'm not ensure sure this is the right approach so any advice or guidance, examples etc would be great to get me started.
So, first of all you dont have to put users and group in the People/Group ou's. You can make an ou called LabA and put users and groups in there. if you want a new dc then you would need a new ldap tree.
Our LDAP systems is already pretty established now, so I'm reluctant to move the existing users and groups. So lets say I want to create a dc tree can you give an example of what you mean?
so the same way you created your initial database, creating a new tree would be adding a new database to your slapd configuration.
Great, thanks for showing me that example, its totally clear now. So I'm going to setup my dc=laba,dc=mytoplevel,dc=com, and then under than create my users, groups etc.
Ok so with that part of my issues now clear, my second part comes to the Linux client authentication.
I want my client to be able to now authenticate any user in Laba and any user in my top level domain and of course no users from labb
Here is my current ldap.conf file for my client systems.
Arh yes I can see your point.
I might look into
from there I think I can the specify in the ldap.conf file on the clients
nss_base_passwd = ou=People,ou=laba,dc=example,dc=com
|All times are GMT -5. The time now is 02:01 AM.|