LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity
LDP/LDP/retired/Ldap-Implementation-HOWTO/Ldap-Implementation-HOWTO.sgml

92 lines
8.9 KiB
Plaintext
Raw Permalink Blame History

<!doctype article public "-//OASIS//DTD DocBook V4.1//EN"
[
<!entity header system "header.sgml">
<!entity sectionpamnss SYSTEM "section-pamnss.sgml">
<!entity sectionsasl SYSTEM "section-sasl.sgml">
<!entity sectionradius SYSTEM "section-radius.sgml">
<!entity sectionsamba SYSTEM "section-samba.sgml">
<!entity sectiondns SYSTEM "section-dns.sgml">
<!entity sectionsendmail SYSTEM "section-sendmail.sgml">
<!entity sectionaddress SYSTEM "section-address.sgml">
<!entity sectionroaming SYSTEM "section-roaming.sgml">
<!entity sectioncertificates SYSTEM "section-certificates.sgml">
<!entity sectionssl SYSTEM "section-ssl.sgml">
<!entity sectionsecurity SYSTEM "section-security.sgml">
<!entity sectionperformance SYSTEM "section-performance.sgml">
<!entity sectionttt SYSTEM "section-ttt.sgml">
<!entity sectionschemas SYSTEM "section-schemas.sgml">
<!entity sectionfiles SYSTEM "section-files.sgml">
<!entity fileslapdconf SYSTEM "lih-slapd.conf">
<!entity fileldapconf SYSTEM "lih-ldap.conf">
<!entity fileschema SYSTEM "lih-schema.conf">
<!entity fileldifstructure SYSTEM "lih-structure.ldif">
]>
<ARTICLE ID="INDEX"><articleinfo><TITLE>LDAP Implementation HOWTO</TITLE>
<PUBDATE>v0.4 02 Feb, 2001</PUBDATE>
<AUTHOR><FIRSTNAME>Roel</FIRSTNAME>
<OTHERNAME>van</OTHERNAME>
<SURNAME>Meer</SURNAME>
<AFFILIATION><ORGNAME><ULINK URL="http://www.linvision.com">Linvision BV</ULINK></ORGNAME>
<ADDRESS FORMAT="LINESPECIFIC"><EMAIL>r.vanmeer@linvision.com</EMAIL></ADDRESS></AFFILIATION></AUTHOR>
<AUTHOR><FIRSTNAME>Giuseppe</FIRSTNAME>
<OTHERNAME>Lo</OTHERNAME>
<SURNAME>Biondo</SURNAME>
<AFFILIATION><ORGNAME><ULINK
URL="http://www.mi.infn.it">INFN MI</ULINK></ORGNAME>
<ADDRESS FORMAT="LINESPECIFIC"><EMAIL>giuseppe.lobiondo@mi.infn.it</EMAIL></ADDRESS></AFFILIATION></AUTHOR>
<ABSTRACT><PARA>We are trying to use Ldap as a central database to store all users-related information. This document describes the process of HOW TO do this. Currently supported are the standard pam-authenticated login services, usage of a company-wide addressbook, and the storage of sendmails routing information.</PARA></ABSTRACT>
<REVHISTORY>
<REVISION><REVNUMBER>0.4</REVNUMBER>
<DATE>Feb 02, 2001</DATE>
<AUTHORINITIALS>rvm</AUTHORINITIALS>
<REVREMARK>Added dns section.</REVREMARK></REVISION>
<REVISION><REVNUMBER>0.3</REVNUMBER>
<DATE>Jan 18, 2001</DATE>
<AUTHORINITIALS>rvm</AUTHORINITIALS>
<REVREMARK>Added MTA sections.</REVREMARK></REVISION>
<REVISION><REVNUMBER>0.2</REVNUMBER>
<DATE>Nov 12, 2000</DATE>
<AUTHORINITIALS>glb</AUTHORINITIALS>
<REVREMARK>Improved section on nss. Added sections about certificates and wrappers.</REVREMARK></REVISION>
</REVHISTORY></articleinfo>
<SECT1 ID="OVERVIEW"><TITLE>Overview</TITLE>
<SECT2><TITLE>Why?</TITLE>
<PARA>The main goal of this project is to create a single place where all information is stored about users and their accounts, whether it be unix login, NT domain logon or printer access, if people have email or ftp accounts. Right now it is all stored in just too many files, like <FILENAME MOREINFO="NONE">/etc/passwd</FILENAME>, <FILENAME MOREINFO="NONE">/etc/group</FILENAME>, <FILENAME MOREINFO="NONE">smbpasswd</FILENAME> and <FILENAME MOREINFO="NONE">aliases</FILENAME>, just to name a few.</PARA>
<PARA>That means that right now, when your sysadmin has to give someone an account, all these files need to be updated, a number of tools need to be executed, and this implies, especially when the system becomes more extensive, a detailed level of knowledge of all these services and how to manage them. When all information is stored in a single place, only one tool is needed to maintain your system. This has a few advantages. It is easier and less time-consuming to maintain user accounts on a system, so now someone with limited knowledge of the systems internal structure can do this. Additionally, it is possible to change the services or the internal services, without having to change the way user accounts are managed.</PARA>
<PARA>A third advantage of this is that roaming accesss can be easily configured. If a database already exists with records of all your users, a little more data can easily be added. Of course, this argument is only valid if you already did the actual work and installed the bunch... </PARA></SECT2>
<SECT2><TITLE>How?</TITLE>
<PARA>In short: LDAP. A little less short: The Lightweight Directory Access Protocol is the database in which all the information will be stored. It has a directory-based structure, which means you can store information in it through a directory or tree structure. You can store about anything you want in it. And this has the advantage that when something new comes into play it is very likely that the additional information that needs to be stored can be seamlessly merged with the existing data. </PARA>
<PARA>Another advantage is the scaleability that Ldap provides. Ldap databases can be easily replicated, so it would be possible to have multiple ldap servers all replicating from a master server. This improves the reliability, and it creates the possibility to devide the load on larger networks between different servers.</PARA></SECT2>
<SECT2><TITLE>What?</TITLE>
<PARA>Most of the common services can be authenticated through PAM, Pluggable Authentication Modules. With the pam_ldap and nss_ldap modules, all pamified programs can get their information from LDAP. More information about PAM in general can be found on <ULINK URL="http://www.kernel.org/pub/linux/libs/pam/">the Linux-PAM site</ULINK>. Information about pam_ldap and nss_ldap can be found on the <ULINK URL="http://www.padl.com">padl software</ULINK> site.</PARA>
<PARA>For Samba, things are a little difficult at this moment. The current stable Samba versions do not have Ldap support. Ldap support can be found in the HEAD and TNG branch, and probably also in the combined tree. The problem is that samba has it's own usernames and passwords. It does have usage for PAM, in fact, but that is not sufficient to do all the authentication and retrieval of user information. Because the implementation of LDAP in samba is not fully finished yet, there are a few limitations to the use of ldap with samba. From my experiences, the HEAD is at this time (early June 2000) not stable enough, and the performance is unsatisfying. However, when the ldap support is fully functional in the new releases, samba too can be configured to get all of it's user information from ldap.</PARA>
<PARA>Another thing that can be stored into an ldap database is DNS. When the amount of machines connected to your network increases, it is no longer feasable to edit the DNS files by hand. When machine accounts are stored into ldap, two simple DNS entries (one for the lookup, and one for the reverse lookup) can easily be added at the same time. This too provides a simplification of system management. Although the storage of DNS entries in an ldap database may not be neccesary, for most systems (this depends for example on your network layout, and the way you use dhcp), it may prove useful to some people.</PARA>
<PARA>Since sendmail version 8.9 (see <ULINK URL="http://www.sendmail.net/">sendmail.net</ULINK> for more details), sendmail has Ldap support. When setting up an email system which has multiple mailhosts and or fallback hosts, it is convenient to store all the information in one place. Normally, every system needs to be configured separately, with the same information. When using ldap, this can be avoided.</PARA>
<PARA>Roaming access can also be used with LDAP. Netscape versions 4.5 and up have the possibility to store user data like bookmarks and such via an HTML or LDAP server. This gives users their good old preferences, wherever they log in and use Netscape.</PARA>
<PARA>Microsoft's office programs can import address books. Thay can also use an Active Directory service to automagically match emailaddresses to user names or nicknames. With Ldap this can be done on a Linux system, without the need for Microsoft Exchange Server or something the like.</PARA></SECT2>
<SECT2><TITLE>Disclaimer</TITLE>
<PARA>This document is provided as is and should be considered as a work in progress. Several sections are as yet unfinished, and probably a lot of things that should be in here, aren't. I would greatly appreciate any comments on this document, of whatever nature they may be.</PARA>
<PARA>In any case, think before you go messing around with your system and don't come to me if it breaks.</PARA></SECT2>
<SECT2><TITLE>Copyright and license</TITLE>
<PARA>Copyright (c) by Roel van Meer, Giuseppe Lo Biondo. This document
may be distributed only subject to the terms and conditions set forth in
the LDP License at the <ULINK URL="http://www.linuxdoc.org/COPYRIGHT.html">Linux Documentation Project</ULINK>.</PARA></SECT2></SECT1>
&sectionpamnss;
&sectionsasl;
&sectionradius;
&sectionsamba;
&sectiondns;
&sectionsendmail;
&sectionaddress;
&sectionroaming;
&sectioncertificates;
&sectionssl;
&sectionsecurity;
&sectionperformance;
&sectionttt;
&sectionschemas;
&sectionfiles;
</ARTICLE>
View Git Blame Copy Permalink