The ungleich LDAP guide


This article is IN PROGRESS.


The ldap servers are and

  • All LDAP servers are running in pairs and are using LDAP replication.
  • Servers can only be contacted using ldap:// with TLS
    • Version 1 servers also support ldaps://

Search all elements

ldapsearch  -H ldap:// -Z -x -D <BINDDN> -b dc=ungleich,dc=ch -w PASSWORD

Setting up new servers

The cdist type "__ungleich_ldap" can be used to setup new pairs of LDAP servers. After configuring the host,

LDAP Trees & application permissions

  • dc=ungleich,dc=ch - root
    • ou=customers,dc=ungleich,dc=ch
      • Everyone can create an account in here => maybe it should be named publicusers?
      • Have access to
        • ssh jumphost(s)
    • ou=users,dc=ungleich,dc=ch
      • Internal users
      • Employees
      • Additional access to ...

Adding users to ldap

There is a webgui at:
The managager's credentials in pass.

To be clarified

Before this document goes into production, we need to clarify:

  • Can we base permissions on groups for our applications?
    • yes -> we should have all users under the same tree
    • no -> need to different trees
  • Can we handle ssh keys for our users in LDAP?
  • Where do we implement recover password methods
    • do we implement this for all users or do we exclude staff?

Updated by ll nu almost 5 years ago · 5 revisions