Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a multi master LDAP+SSL+Host based ACL's, password Policy and Sudo rights system working fine, my question is more related to how do I organise my LDAP system.
Here is situation
1 - my domain example.com holds all my admin users and groups
ou=People,dc=example,dc=com
ou=Group,dc=example,dc=com
for example and all clients authenticate to this ldap server.
What I'd like to do now is have multiple sub organisational units, for example Lab A and Lab B.
which would contain the users, groups, sudo rights etc for each Lab.
So I'm assuming my DN would be something like
ou=People,dc=LabA,dc=exmaple,dc=com ?
How do setup Lab A's servers to only authenticate to Lab A's users, groups etc, without search any of Lab B's but of course still have all my admin users and groups have access to both A and B?
I'm not ensure sure this is the right approach so any advice or guidance, examples etc would be great to get me started.
So, first of all you dont have to put users and group in the People/Group ou's. You can make an ou called LabA and put users and groups in there. if you want a new dc then you would need a new ldap tree.
Our LDAP systems is already pretty established now, so I'm reluctant to move the existing users and groups. So lets say I want to create a dc tree can you give an example of what you mean?
Great, thanks for showing me that example, its totally clear now. So I'm going to setup my dc=laba,dc=mytoplevel,dc=com, and then under than create my users, groups etc.
Ok so with that part of my issues now clear, my second part comes to the Linux client authentication.
I want my client to be able to now authenticate any user in Laba and any user in my top level domain and of course no users from labb
Here is my current ldap.conf file for my client systems.
Great, thanks for showing me that example, its totally clear now. So I'm going to setup my dc=laba,dc=mytoplevel,dc=com, and then under than create my users, groups etc.
Ok so with that part of my issues now clear, my second part comes to the Linux client authentication.
I want my client to be able to now authenticate any user in Laba and any user in my top level domain and of course no users from labb
Here is my current ldap.conf file for my client systems.
I'm assuming here my Base needs to change, but I need some sort of search directive too??
Yes, Im not real good at writing them, but your going to want to search BASE, and your new base. Honestly though, this problem is why I suggested just making a new OU rather then a new tree.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.