LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 09-19-2018, 06:51 AM   #1
Obig
LQ Newbie
 
Registered: May 2008
Posts: 21

Rep: Reputation: 0
OpenLDAP structure for use with multiple applications


Hi all,

I'm thinking about the best way to organise my DIT in openldap on a CentOS7 for use with multiple applications.

The problem is when you create an OU for groups, other applications can see all the groups and that might get messy as there'll be alot of groups.

Example

dc=example,dc=com
ou=group
ou=people

If we create entries for authorisation groups under ou=group, and create the uid's for authentication under People; we would need to bind to the DN example.com as we need to access both people for logging in and group for authorizing access.

As you can imagine, if I want to select a group of proxy users, I don't want to see all VPN groups, Application groups and so on.

If working with multiple branches (and countries) what would be the easiest way to organise the groups and users (logins)

I haven't got alot of experience with openldap structuring as you might notice so any ideas are welcome.

Also in the future we would migrate to samba4 with AD but I read that it isn't recommended to use an external LDAP for samba, is there any way of creating the users on an external LDAP server and keep them in synch with the LDAPI of samba4?

I appreciate all input. Thanks in advance.
 
Old 09-27-2018, 08:28 AM   #2
/dev/random
Member
 
Registered: Aug 2012
Location: Ontario, Canada
Distribution: Slackware 14.2, LFS-current, NetBSD 6.1.3, OpenIndiana
Posts: 319

Rep: Reputation: 112Reputation: 112
The best way I have found, is to only bind a group to your application, instead of the entire directory. That way the application can only see what's in the group.
 
Old 09-28-2018, 03:22 AM   #3
Obig
LQ Newbie
 
Registered: May 2008
Posts: 21

Original Poster
Rep: Reputation: 0
Yes I thought about creating OU's with the groups and users in them. But then I might have the need of a user in a sub OU or group that I need to authenticate in another application where I configure another sub OU or group. So I would need to duplicate the users. Or is there another way to create some sort of link for a user to be in multiple OU's for authentication. If I'd need to delete a user for instance that I can just delete it once and do not have to look in which sub OU's it is also located.

Thanks alot!
 
Old 10-12-2018, 08:01 PM   #4
/dev/random
Member
 
Registered: Aug 2012
Location: Ontario, Canada
Distribution: Slackware 14.2, LFS-current, NetBSD 6.1.3, OpenIndiana
Posts: 319

Rep: Reputation: 112Reputation: 112
You wouldn't need to duplicate the users... do something like this:

OU= Group1
OU = Users

Keep all the users in Users and make which ever user you want part of another group this way it won't matter.. if we made a subgroup in Group1 called SubGroup1 and just added random users to that SubGroup it would work just fine. You don't duplicate users, you just add whatever users you want to whatever (sub)groups and then map that group to the application via LDAP bind.
 
Old 10-16-2018, 02:51 AM   #5
Obig
LQ Newbie
 
Registered: May 2008
Posts: 21

Original Poster
Rep: Reputation: 0
Hi,

I tried that but if I bind the group I can't authenticate my user anymore as the bind is only towards the group (I suppose).
I added the MemberOf overlay as it posed problems with a proxy server otherwise. But even with that, it doesn't authenticate the user in my group if I don't bind to the top level so it can also bind to the users OU
 
Old 10-16-2018, 04:13 PM   #6
/dev/random
Member
 
Registered: Aug 2012
Location: Ontario, Canada
Distribution: Slackware 14.2, LFS-current, NetBSD 6.1.3, OpenIndiana
Posts: 319

Rep: Reputation: 112Reputation: 112
Quote:
Originally Posted by Obig View Post
Hi,

I tried that but if I bind the group I can't authenticate my user anymore as the bind is only towards the group (I suppose).
I added the MemberOf overlay as it posed problems with a proxy server otherwise. But even with that, it doesn't authenticate the user in my group if I don't bind to the top level so it can also bind to the users OU
What program are you trying to make with with ldap?


For the group filter I do something like this...
(&(objectclass=posixGroup) (cn=somegroup) (memberUid=*))

This works for me, (all my groups always have the posixGroup attribute, this is not really important, you can bind to any attribute if you want)
 
  


Reply

Tags
openldap, samba4


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how could i simply use cd commad for a multiple directory structure? krzown90 Linux - Newbie 1 10-01-2013 04:55 AM
[SOLVED] Adding users to multiple groups in Openldap skimeer Linux - Newbie 1 09-03-2012 01:36 AM
[SOLVED] Assigning variables to multiple fields in a structure is tiresome. stf92 Programming 10 08-17-2011 08:02 AM
multiple web applications geetha_sg Linux - Newbie 1 08-19-2008 06:12 PM
Linux Directory Structure/Installing Applications tdjb3 Linux - Newbie 3 12-29-2006 11:17 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 09:28 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration