LDAP Organisation

FragInHell · 12-10-2012, 11:01 PM

Hi Everyone

I have a multi master LDAP+SSL+Host based ACL's, password Policy and Sudo rights system working fine, my question is more related to how do I organise my LDAP system.
Here is situation

1 - my domain example.com holds all my admin users and groups
ou=People,dc=example,dc=com
ou=Group,dc=example,dc=com

for example and all clients authenticate to this ldap server.

What I'd like to do now is have multiple sub organisational units, for example Lab A and Lab B.

which would contain the users, groups, sudo rights etc for each Lab.

So I'm assuming my DN would be something like

ou=People,dc=LabA,dc=exmaple,dc=com ?

How do setup Lab A's servers to only authenticate to Lab A's users, groups etc, without search any of Lab B's but of course still have all my admin users and groups have access to both A and B?

I'm not ensure sure this is the right approach so any advice or guidance, examples etc would be great to get me started.

Thanks

Keith

trey85stang · 12-11-2012, 09:40 AM

So, first of all you dont have to put users and group in the People/Group ou's. You can make an ou called LabA and put users and groups in there. if you want a new dc then you would need a new ldap tree.

FragInHell · 12-11-2012, 03:11 PM

Hi Trey85stang,

Our LDAP systems is already pretty established now, so I'm reluctant to move the existing users and groups. So lets say I want to create a dc tree can you give an example of what you mean?

trey85stang · 12-12-2012, 12:03 PM

so the same way you created your initial database, creating a new tree would be adding a new database to your slapd configuration.

Code:

database        bdb
suffix          "dc=mytoplevel,dc=com"
rootdn          "cn=Manager,dc=mytoplevel,dc=com"
rootpw          "supersecretpasswordthatnoonewilleverguesshopefullyyouencryptithereinsteadofusingplaintext"
directory       /var/lib/ldap/mytoplevel

#second tree
database        bdb
suffix          "dc=laba,dc=mytoplevel,dc=com"
rootdn          "cn=Manager,dc=laba,dc=mytoplevel,dc=com"
rootpw          "supersecretpasswordthatnoonewilleverguesshopefullyyouencryptithereinsteadofusingplaintext"
directory       /var/lib/ldap/laba.mytoplevel

FragInHell · 12-12-2012, 03:53 PM

Great, thanks for showing me that example, its totally clear now. So I'm going to setup my dc=laba,dc=mytoplevel,dc=com, and then under than create my users, groups etc.
Ok so with that part of my issues now clear, my second part comes to the Linux client authentication.
I want my client to be able to now authenticate any user in Laba and any user in my top level domain and of course no users from labb

Here is my current ldap.conf file for my client systems.

Code:

timelimit 15
bind_timelimit 5
ide_timelimit 30
URI ldaps://ldapserver01/ ldaps://ldapserver02/
BASE dc=example,dc=com
tls_cacertdir /etc/openldap/cacerts

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
bind_policy soft
tls_checkpeer yes
TLS_REQCERT allow
pam_check_host_attr yes
pam_password exop
pam_lookup_policy yes
sudoers_base   ou=SUDOers,dc=example,dc=com

I'm assuming here my Base needs to change, but I need some sort of search directive too??

trey85stang · 12-14-2012, 09:39 AM

Quote:

Originally Posted by FragInHell

Great, thanks for showing me that example, its totally clear now. So I'm going to setup my dc=laba,dc=mytoplevel,dc=com, and then under than create my users, groups etc.
Ok so with that part of my issues now clear, my second part comes to the Linux client authentication.
I want my client to be able to now authenticate any user in Laba and any user in my top level domain and of course no users from labb

Here is my current ldap.conf file for my client systems.

Code:

timelimit 15
bind_timelimit 5
ide_timelimit 30
URI ldaps://ldapserver01/ ldaps://ldapserver02/
BASE dc=example,dc=com
tls_cacertdir /etc/openldap/cacerts

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
bind_policy soft
tls_checkpeer yes
TLS_REQCERT allow
pam_check_host_attr yes
pam_password exop
pam_lookup_policy yes
sudoers_base   ou=SUDOers,dc=example,dc=com

I'm assuming here my Base needs to change, but I need some sort of search directive too??

Yes, Im not real good at writing them, but your going to want to search BASE, and your new base. Honestly though, this problem is why I suggested just making a new OU rather then a new tree.

FragInHell · 12-16-2012, 03:03 PM

Arh yes I can see your point.

I might look into

ou=laba,dc=exampledc=com

and then

ou=People,ou=laba,dc=example,dc=com

from there I think I can the specify in the ldap.conf file on the clients

nss_base_passwd = ou=People,ou=laba,dc=example,dc=com