Project

General

Profile

The ungleich LDAP guide » History » Revision 4

Revision 3 (Nico Schottelius, 02/09/2019 06:38 PM) → Revision 4/5 (Nico Schottelius, 03/05/2019 02:48 PM)

h1. The ungleich LDAP guide 

 {{toc}} 

 h2. Status 

 This article is *IN PROGRESS*. 

 h2. Servers 

 The ldap servers are *ldap1.ungleich.ch* and *ldap2.ungleich.ch*. 

 * All LDAP servers are running in pairs and are using LDAP replication. 
 * Servers can only be contacted using ldap:// with TLS 
 ** Version 1 servers also support ldaps:// 



 


 h2. Search all elements 

 <pre> 
 ldapsearch    -H ldap://ldap1.ungleich.ch -Z -x -D <BINDDN> -b dc=ungleich,dc=ch -w PASSWORD 
 </pre>  

 h2. Setting up new servers 

 The cdist type "__ungleich_ldap" can be used to setup new pairs of LDAP servers. After configuring the host, 

 

 h2. LDAP Trees & application permissions 

 * dc=ungleich,dc=ch - root 
 ** ou=customers,dc=ungleich,dc=ch 
 *** Everyone can create an account in here => maybe it should be named publicusers? 
 *** Have access to 
 **** code.ungleich.ch 
 **** redmine.ungleich.ch 
 **** ssh jumphost(s) 
 ** ou=users,dc=ungleich,dc=ch 
 *** Internal users 
 *** Employees 
 *** Additional access to ... 


 h3. To be clarified 

 Before this document goes into production, we need to clarify: 

 * Can we base permissions on groups for our applications? 
 ** yes -> we should have all users under the same tree 
 ** no -> need to different trees 
 * Can we handle ssh keys for our users in LDAP? 
 * Where do we implement recover password methods 
 ** do we implement this for all users or do we exclude staff?