The ungleich LDAP guide¶

• Table of contents
• The ungleich LDAP guide
  • Status
  • Servers
  • Search all elements
  • Setting up new servers
  • LDAP Trees & application permissions
  • Adding users to ldap
    • To be clarified

Status¶

This article is IN PROGRESS.

Servers¶

The ldap servers are ldap1.ungleich.ch and ldap2.ungleich.ch.

• All LDAP servers are running in pairs and are using LDAP replication.
• Servers can only be contacted using ldap:// with TLS
  • Version 1 servers also support ldaps://

Search all elements¶

ldapsearch  -H ldap://ldap1.ungleich.ch -Z -x -D <BINDDN> -b dc=ungleich,dc=ch -w PASSWORD

Setting up new servers¶

The cdist type "__ungleich_ldap" can be used to setup new pairs of LDAP servers. After configuring the host,

LDAP Trees & application permissions¶

• dc=ungleich,dc=ch - root
  • ou=customers,dc=ungleich,dc=ch
    • Everyone can create an account in here => maybe it should be named publicusers?
    • Have access to
      • code.ungleich.ch
      • redmine.ungleich.ch
      • ssh jumphost(s)
  • ou=users,dc=ungleich,dc=ch
    • Internal users
    • Employees
    • Additional access to ...

Adding users to ldap¶

There is a webgui at: https://lam.ungleich.ch/lam/
The managager's credentials in pass.

To be clarified¶

Before this document goes into production, we need to clarify:

• Can we base permissions on groups for our applications?
  • yes -> we should have all users under the same tree
  • no -> need to different trees
• Can we handle ssh keys for our users in LDAP?
• Where do we implement recover password methods
  • do we implement this for all users or do we exclude staff?