LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   OpenLDAP structure for use with multiple applications (https://www.linuxquestions.org/questions/linux-server-73/openldap-structure-for-use-with-multiple-applications-4175638711/)

Obig 09-19-2018 06:51 AM
OpenLDAP structure for use with multiple applications
 
Hi all,

I'm thinking about the best way to organise my DIT in openldap on a CentOS7 for use with multiple applications.

The problem is when you create an OU for groups, other applications can see all the groups and that might get messy as there'll be alot of groups.

Example

dc=example,dc=com
ou=group
ou=people

If we create entries for authorisation groups under ou=group, and create the uid's for authentication under People; we would need to bind to the DN example.com as we need to access both people for logging in and group for authorizing access.

As you can imagine, if I want to select a group of proxy users, I don't want to see all VPN groups, Application groups and so on.

If working with multiple branches (and countries) what would be the easiest way to organise the groups and users (logins)

I haven't got alot of experience with openldap structuring as you might notice so any ideas are welcome.

Also in the future we would migrate to samba4 with AD but I read that it isn't recommended to use an external LDAP for samba, is there any way of creating the users on an external LDAP server and keep them in synch with the LDAPI of samba4?

I appreciate all input. Thanks in advance.

/dev/random 09-27-2018 08:28 AM
The best way I have found, is to only bind a group to your application, instead of the entire directory. That way the application can only see what's in the group.

Obig 09-28-2018 03:22 AM
Yes I thought about creating OU's with the groups and users in them. But then I might have the need of a user in a sub OU or group that I need to authenticate in another application where I configure another sub OU or group. So I would need to duplicate the users. Or is there another way to create some sort of link for a user to be in multiple OU's for authentication. If I'd need to delete a user for instance that I can just delete it once and do not have to look in which sub OU's it is also located.

Thanks alot!

/dev/random 10-12-2018 08:01 PM
You wouldn't need to duplicate the users... do something like this:

OU= Group1
OU = Users

Keep all the users in Users and make which ever user you want part of another group this way it won't matter.. if we made a subgroup in Group1 called SubGroup1 and just added random users to that SubGroup it would work just fine. You don't duplicate users, you just add whatever users you want to whatever (sub)groups and then map that group to the application via LDAP bind.

Obig 10-16-2018 02:51 AM
Hi,

I tried that but if I bind the group I can't authenticate my user anymore as the bind is only towards the group (I suppose).
I added the MemberOf overlay as it posed problems with a proxy server otherwise. But even with that, it doesn't authenticate the user in my group if I don't bind to the top level so it can also bind to the users OU

/dev/random 10-16-2018 04:13 PM
Quote:
Originally Posted by Obig (Post 5915287)
Hi,

I tried that but if I bind the group I can't authenticate my user anymore as the bind is only towards the group (I suppose).
I added the MemberOf overlay as it posed problems with a proxy server otherwise. But even with that, it doesn't authenticate the user in my group if I don't bind to the top level so it can also bind to the users OU
What program are you trying to make with with ldap?


For the group filter I do something like this...
(&(objectclass=posixGroup) (cn=somegroup) (memberUid=*))

This works for me, (all my groups always have the posixGroup attribute, this is not really important, you can bind to any attribute if you want)


All times are GMT -5. The time now is 12:59 PM.