Project

General

Profile

The ungleich LDAP guide » History » Version 4

Nico Schottelius, 03/05/2019 02:48 PM

1 1 Nico Schottelius
h1. The ungleich LDAP guide
2
3 2 Nico Schottelius
{{toc}}
4
5 1 Nico Schottelius
h2. Status
6
7
This article is *IN PROGRESS*.
8
9
h2. Servers
10
11 4 Nico Schottelius
The ldap servers are *ldap1.ungleich.ch* and *ldap2.ungleich.ch*.
12
13 1 Nico Schottelius
* All LDAP servers are running in pairs and are using LDAP replication.
14
* Servers can only be contacted using ldap:// with TLS
15
** Version 1 servers also support ldaps://
16 4 Nico Schottelius
17 1 Nico Schottelius
18
19
h2. Search all elements
20
21
<pre>
22
ldapsearch  -H ldap://ldap1.ungleich.ch -Z -x -D <BINDDN> -b dc=ungleich,dc=ch -w PASSWORD
23
</pre> 
24
25
h2. Setting up new servers
26
27 3 Nico Schottelius
The cdist type "__ungleich_ldap" can be used to setup new pairs of LDAP servers. After configuring the host,
28 2 Nico Schottelius
29
h2. LDAP Trees & application permissions
30
31
* dc=ungleich,dc=ch - root
32
** ou=customers,dc=ungleich,dc=ch
33
*** Everyone can create an account in here => maybe it should be named publicusers?
34
*** Have access to
35
**** code.ungleich.ch
36
**** redmine.ungleich.ch
37
**** ssh jumphost(s)
38
** ou=users,dc=ungleich,dc=ch
39
*** Internal users
40
*** Employees
41 1 Nico Schottelius
*** Additional access to ...
42 3 Nico Schottelius
43
44
h3. To be clarified
45
46
Before this document goes into production, we need to clarify:
47
48
* Can we base permissions on groups for our applications?
49
** yes -> we should have all users under the same tree
50
** no -> need to different trees
51
* Can we handle ssh keys for our users in LDAP?
52
* Where do we implement recover password methods
53
** do we implement this for all users or do we exclude staff?