The ungleich LDAP guide » History » Revision 4
Revision 3 (Nico Schottelius, 02/09/2019 06:38 PM) → Revision 4/5 (Nico Schottelius, 03/05/2019 02:48 PM)
h1. The ungleich LDAP guide
{{toc}}
h2. Status
This article is *IN PROGRESS*.
h2. Servers
The ldap servers are *ldap1.ungleich.ch* and *ldap2.ungleich.ch*.
* All LDAP servers are running in pairs and are using LDAP replication.
* Servers can only be contacted using ldap:// with TLS
** Version 1 servers also support ldaps://
h2. Search all elements
<pre>
ldapsearch -H ldap://ldap1.ungleich.ch -Z -x -D <BINDDN> -b dc=ungleich,dc=ch -w PASSWORD
</pre>
h2. Setting up new servers
The cdist type "__ungleich_ldap" can be used to setup new pairs of LDAP servers. After configuring the host,
h2. LDAP Trees & application permissions
* dc=ungleich,dc=ch - root
** ou=customers,dc=ungleich,dc=ch
*** Everyone can create an account in here => maybe it should be named publicusers?
*** Have access to
**** code.ungleich.ch
**** redmine.ungleich.ch
**** ssh jumphost(s)
** ou=users,dc=ungleich,dc=ch
*** Internal users
*** Employees
*** Additional access to ...
h3. To be clarified
Before this document goes into production, we need to clarify:
* Can we base permissions on groups for our applications?
** yes -> we should have all users under the same tree
** no -> need to different trees
* Can we handle ssh keys for our users in LDAP?
* Where do we implement recover password methods
** do we implement this for all users or do we exclude staff?