LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
LinkBack Search this Thread
Old 12-10-2012, 11:01 PM   #1
FragInHell
Member
 
Registered: Sep 2003
Location: Sydney Australia
Distribution: Redhat, Centos, Ubuntu
Posts: 282

Rep: Reputation: 45
LDAP Organisation


Hi Everyone

I have a multi master LDAP+SSL+Host based ACL's, password Policy and Sudo rights system working fine, my question is more related to how do I organise my LDAP system.
Here is situation

1 - my domain example.com holds all my admin users and groups
ou=People,dc=example,dc=com
ou=Group,dc=example,dc=com

for example and all clients authenticate to this ldap server.


What I'd like to do now is have multiple sub organisational units, for example Lab A and Lab B.

which would contain the users, groups, sudo rights etc for each Lab.

So I'm assuming my DN would be something like

ou=People,dc=LabA,dc=exmaple,dc=com ?

How do setup Lab A's servers to only authenticate to Lab A's users, groups etc, without search any of Lab B's but of course still have all my admin users and groups have access to both A and B?




I'm not ensure sure this is the right approach so any advice or guidance, examples etc would be great to get me started.

Thanks

Keith
 
Old 12-11-2012, 09:40 AM   #2
trey85stang
Senior Member
 
Registered: Sep 2003
Posts: 1,090

Rep: Reputation: 41
So, first of all you dont have to put users and group in the People/Group ou's. You can make an ou called LabA and put users and groups in there. if you want a new dc then you would need a new ldap tree.
 
Old 12-11-2012, 03:11 PM   #3
FragInHell
Member
 
Registered: Sep 2003
Location: Sydney Australia
Distribution: Redhat, Centos, Ubuntu
Posts: 282

Original Poster
Rep: Reputation: 45
Hi Trey85stang,

Our LDAP systems is already pretty established now, so I'm reluctant to move the existing users and groups. So lets say I want to create a dc tree can you give an example of what you mean?
 
Old 12-12-2012, 12:03 PM   #4
trey85stang
Senior Member
 
Registered: Sep 2003
Posts: 1,090

Rep: Reputation: 41
so the same way you created your initial database, creating a new tree would be adding a new database to your slapd configuration.

Code:
database        bdb
suffix          "dc=mytoplevel,dc=com"
rootdn          "cn=Manager,dc=mytoplevel,dc=com"
rootpw          "supersecretpasswordthatnoonewilleverguesshopefullyyouencryptithereinsteadofusingplaintext"
directory       /var/lib/ldap/mytoplevel

#second tree
database        bdb
suffix          "dc=laba,dc=mytoplevel,dc=com"
rootdn          "cn=Manager,dc=laba,dc=mytoplevel,dc=com"
rootpw          "supersecretpasswordthatnoonewilleverguesshopefullyyouencryptithereinsteadofusingplaintext"
directory       /var/lib/ldap/laba.mytoplevel
 
Old 12-12-2012, 03:53 PM   #5
FragInHell
Member
 
Registered: Sep 2003
Location: Sydney Australia
Distribution: Redhat, Centos, Ubuntu
Posts: 282

Original Poster
Rep: Reputation: 45
Great, thanks for showing me that example, its totally clear now. So I'm going to setup my dc=laba,dc=mytoplevel,dc=com, and then under than create my users, groups etc.
Ok so with that part of my issues now clear, my second part comes to the Linux client authentication.
I want my client to be able to now authenticate any user in Laba and any user in my top level domain and of course no users from labb

Here is my current ldap.conf file for my client systems.
Code:
timelimit 15
bind_timelimit 5
ide_timelimit 30
URI ldaps://ldapserver01/ ldaps://ldapserver02/
BASE dc=example,dc=com
tls_cacertdir /etc/openldap/cacerts

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
bind_policy soft
tls_checkpeer yes
TLS_REQCERT allow
pam_check_host_attr yes
pam_password exop
pam_lookup_policy yes
sudoers_base   ou=SUDOers,dc=example,dc=com
I'm assuming here my Base needs to change, but I need some sort of search directive too??
 
Old 12-14-2012, 09:39 AM   #6
trey85stang
Senior Member
 
Registered: Sep 2003
Posts: 1,090

Rep: Reputation: 41
Quote:
Originally Posted by FragInHell View Post
Great, thanks for showing me that example, its totally clear now. So I'm going to setup my dc=laba,dc=mytoplevel,dc=com, and then under than create my users, groups etc.
Ok so with that part of my issues now clear, my second part comes to the Linux client authentication.
I want my client to be able to now authenticate any user in Laba and any user in my top level domain and of course no users from labb

Here is my current ldap.conf file for my client systems.
Code:
timelimit 15
bind_timelimit 5
ide_timelimit 30
URI ldaps://ldapserver01/ ldaps://ldapserver02/
BASE dc=example,dc=com
tls_cacertdir /etc/openldap/cacerts

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
bind_policy soft
tls_checkpeer yes
TLS_REQCERT allow
pam_check_host_attr yes
pam_password exop
pam_lookup_policy yes
sudoers_base   ou=SUDOers,dc=example,dc=com
I'm assuming here my Base needs to change, but I need some sort of search directive too??
Yes, Im not real good at writing them, but your going to want to search BASE, and your new base. Honestly though, this problem is why I suggested just making a new OU rather then a new tree.
 
Old 12-16-2012, 03:03 PM   #7
FragInHell
Member
 
Registered: Sep 2003
Location: Sydney Australia
Distribution: Redhat, Centos, Ubuntu
Posts: 282

Original Poster
Rep: Reputation: 45
Arh yes I can see your point.

I might look into

ou=laba,dc=exampledc=com

and then

ou=People,ou=laba,dc=example,dc=com

from there I think I can the specify in the ldap.conf file on the clients

nss_base_passwd = ou=People,ou=laba,dc=example,dc=com
 
  


Reply

Tags
ldap


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Intranet for small organisation is possible? rbk@rkitecht Linux - Server 1 03-10-2012 07:21 AM
[SOLVED] cvs2svn - repository organisation ShadyCraig Linux - Server 2 09-29-2010 08:33 AM
log organisation namit Linux - Security 10 01-05-2007 10:30 PM
Kerberos beyond one organisation zimolin Linux - Networking 0 09-09-2004 08:01 AM
organisation software tsitras Linux - Software 0 08-12-2004 07:47 AM


All times are GMT -5. The time now is 06:21 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration