The ungleich LDAP guide » History » Revision 4
Revision 3 (Nico Schottelius, 02/09/2019 06:38 PM) → Revision 4/5 (Nico Schottelius, 03/05/2019 02:48 PM)
h1. The ungleich LDAP guide {{toc}} h2. Status This article is *IN PROGRESS*. h2. Servers The ldap servers are *ldap1.ungleich.ch* and *ldap2.ungleich.ch*. * All LDAP servers are running in pairs and are using LDAP replication. * Servers can only be contacted using ldap:// with TLS ** Version 1 servers also support ldaps:// h2. Search all elements <pre> ldapsearch -H ldap://ldap1.ungleich.ch -Z -x -D <BINDDN> -b dc=ungleich,dc=ch -w PASSWORD </pre> h2. Setting up new servers The cdist type "__ungleich_ldap" can be used to setup new pairs of LDAP servers. After configuring the host, h2. LDAP Trees & application permissions * dc=ungleich,dc=ch - root ** ou=customers,dc=ungleich,dc=ch *** Everyone can create an account in here => maybe it should be named publicusers? *** Have access to **** code.ungleich.ch **** redmine.ungleich.ch **** ssh jumphost(s) ** ou=users,dc=ungleich,dc=ch *** Internal users *** Employees *** Additional access to ... h3. To be clarified Before this document goes into production, we need to clarify: * Can we base permissions on groups for our applications? ** yes -> we should have all users under the same tree ** no -> need to different trees * Can we handle ssh keys for our users in LDAP? * Where do we implement recover password methods ** do we implement this for all users or do we exclude staff?