Project

General

Profile

Actions

The ungleich LDAP guide

Status

This article is IN PROGRESS.

Servers

The ldap servers are ldap1.ungleich.ch and ldap2.ungleich.ch.

  • All LDAP servers are running in pairs and are using LDAP replication.
  • Servers can only be contacted using ldap:// with TLS
    • Version 1 servers also support ldaps://

Search all elements

ldapsearch  -H ldap://ldap1.ungleich.ch -Z -x -D <BINDDN> -b dc=ungleich,dc=ch -w PASSWORD

Setting up new servers

The cdist type "__ungleich_ldap" can be used to setup new pairs of LDAP servers. After configuring the host,

LDAP Trees & application permissions

  • dc=ungleich,dc=ch - root
    • ou=customers,dc=ungleich,dc=ch
      • Everyone can create an account in here => maybe it should be named publicusers?
      • Have access to
        • code.ungleich.ch
        • redmine.ungleich.ch
        • ssh jumphost(s)
    • ou=users,dc=ungleich,dc=ch
      • Internal users
      • Employees
      • Additional access to ...

Adding users to ldap

There is a webgui at: https://lam.ungleich.ch/lam/
The managager's credentials in pass.

To be clarified

Before this document goes into production, we need to clarify:

  • Can we base permissions on groups for our applications?
    • yes -> we should have all users under the same tree
    • no -> need to different trees
  • Can we handle ssh keys for our users in LDAP?
  • Where do we implement recover password methods
    • do we implement this for all users or do we exclude staff?

Updated by ll nu 2 months ago · 5 revisions