The ungleich LDAP guide » History » Version 5
ll nu, 09/12/2019 09:33 PM
1 | 1 | Nico Schottelius | h1. The ungleich LDAP guide |
---|---|---|---|
2 | |||
3 | 2 | Nico Schottelius | {{toc}} |
4 | |||
5 | 1 | Nico Schottelius | h2. Status |
6 | |||
7 | This article is *IN PROGRESS*. |
||
8 | |||
9 | h2. Servers |
||
10 | |||
11 | 4 | Nico Schottelius | The ldap servers are *ldap1.ungleich.ch* and *ldap2.ungleich.ch*. |
12 | |||
13 | 1 | Nico Schottelius | * All LDAP servers are running in pairs and are using LDAP replication. |
14 | * Servers can only be contacted using ldap:// with TLS |
||
15 | ** Version 1 servers also support ldaps:// |
||
16 | 4 | Nico Schottelius | |
17 | 1 | Nico Schottelius | |
18 | |||
19 | h2. Search all elements |
||
20 | |||
21 | <pre> |
||
22 | ldapsearch -H ldap://ldap1.ungleich.ch -Z -x -D <BINDDN> -b dc=ungleich,dc=ch -w PASSWORD |
||
23 | </pre> |
||
24 | |||
25 | h2. Setting up new servers |
||
26 | |||
27 | 3 | Nico Schottelius | The cdist type "__ungleich_ldap" can be used to setup new pairs of LDAP servers. After configuring the host, |
28 | 2 | Nico Schottelius | |
29 | h2. LDAP Trees & application permissions |
||
30 | |||
31 | * dc=ungleich,dc=ch - root |
||
32 | ** ou=customers,dc=ungleich,dc=ch |
||
33 | *** Everyone can create an account in here => maybe it should be named publicusers? |
||
34 | *** Have access to |
||
35 | **** code.ungleich.ch |
||
36 | **** redmine.ungleich.ch |
||
37 | **** ssh jumphost(s) |
||
38 | ** ou=users,dc=ungleich,dc=ch |
||
39 | *** Internal users |
||
40 | *** Employees |
||
41 | 1 | Nico Schottelius | *** Additional access to ... |
42 | 3 | Nico Schottelius | |
43 | |||
44 | 5 | ll nu | h2. Adding users to ldap |
45 | |||
46 | There is a webgui at: https://lam.ungleich.ch/lam/ |
||
47 | The managager's credentials in pass. |
||
48 | |||
49 | |||
50 | 3 | Nico Schottelius | h3. To be clarified |
51 | |||
52 | Before this document goes into production, we need to clarify: |
||
53 | |||
54 | * Can we base permissions on groups for our applications? |
||
55 | ** yes -> we should have all users under the same tree |
||
56 | ** no -> need to different trees |
||
57 | * Can we handle ssh keys for our users in LDAP? |
||
58 | * Where do we implement recover password methods |
||
59 | ** do we implement this for all users or do we exclude staff? |