Open Infrastructure

h1. The ungleich LDAP guide

{{toc}}

h2. Status

This article is *IN PROGRESS*.

h2. Servers

The ldap servers are *ldap1.ungleich.ch* and *ldap2.ungleich.ch*.

* All LDAP servers are running in pairs and are using LDAP replication.

* Servers can only be contacted using ldap:// with TLS

** Version 1 servers also support ldaps://

h2. Search all elements

<pre>

ldapsearch  -H ldap://ldap1.ungleich.ch -Z -x -D <BINDDN> -b dc=ungleich,dc=ch -w PASSWORD

</pre> 

h2. Setting up new servers

The cdist type "__ungleich_ldap" can be used to setup new pairs of LDAP servers. After configuring the host,

h2. LDAP Trees & application permissions

* dc=ungleich,dc=ch - root

** ou=customers,dc=ungleich,dc=ch

*** Everyone can create an account in here => maybe it should be named publicusers?

*** Have access to

**** code.ungleich.ch

**** redmine.ungleich.ch

**** ssh jumphost(s)

** ou=users,dc=ungleich,dc=ch

*** Internal users

*** Employees

*** Additional access to ...

h3. To be clarified

Before this document goes into production, we need to clarify:

* Can we base permissions on groups for our applications?

** yes -> we should have all users under the same tree

** no -> need to different trees

* Can we handle ssh keys for our users in LDAP?

* Where do we implement recover password methods

** do we implement this for all users or do we exclude staff?