Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente | ||
smedev:make_everything_dynamic_with_ldap [28/03/2013 20:16] dani |
smedev:make_everything_dynamic_with_ldap [01/08/2013 09:14] (Version actuelle) dani [Disable user/group managements] |
||
---|---|---|---|
Ligne 6: | Ligne 6: | ||
===== The goal ===== | ===== The goal ===== | ||
- | The goal I have is to have more things in LDAP, ultimately, adding users and groups shouldn' | + | The goal is to have more things in LDAP, ultimately, adding users and groups shouldn' |
===== In which way this can be useful ===== | ===== In which way this can be useful ===== | ||
Ligne 22: | Ligne 22: | ||
==== Modify a few things in LDAP ==== | ==== Modify a few things in LDAP ==== | ||
Here's a list of a few things which can be enhanced in LDAP | Here's a list of a few things which can be enhanced in LDAP | ||
+ | |||
+ | === Replace cpu === | ||
+ | LDAP users and groups are managed with [[http:// | ||
+ | * this tool isn't maintained anymore (last version was released in 2004) | ||
+ | * it only supports rfc2307 (see next chapter: switch to rfc2307bis) | ||
+ | * it won't let you add local users to LDAP groups (see http:// | ||
+ | * it's written in C, so a bit hard to enhance | ||
+ | |||
+ | I think it'd be better to switch to a perl based tool, like [[http:// | ||
+ | |||
=== Switch to rfc2307bis ? === | === Switch to rfc2307bis ? === | ||
- | The main difference between rfc2307 (currently used) and rfc2307bis is the way groups are handled. The buggest | + | |
+ | The main difference between rfc2307 (currently used) and rfc2307bis is the way groups are handled. The biggest | ||
+ | |||
+ | (& | ||
+ | |||
+ | This filter would only match members of the **admins** group. | ||
+ | |||
+ | The problem here is that switching to rfc2307bis requires a modification of the structural objectClass of group objects (from posixGroup to groupOfNames), | ||
=== Add smbk5pwd === | === Add smbk5pwd === | ||
- | smbk5pwd is a overlay which makes sure Unix and samba passwords stay in sync (as long as you use LDAP exop to chane the password) | + | smbk5pwd is a overlay which makes sure Unix and samba passwords stay in sync (as long as you use LDAP exop to change |
- | === Add pseudonyms as mailAlternateAddress attributes === | + | See this bug: http:// |
+ | |||
+ | === Add pseudonyms as mail/mailAlternateAddress attributes === | ||
+ | Pseudonyms and all the variants with the different virtual domains should be added in LDAP | ||
+ | |||
+ | * All the virtual domains / pseudonyms combinations should be added in LDAP either as mail or mailAlternateAddress | ||
+ | * A new prop should be available to select the first/ | ||
+ | * Maybe we should add a prop to create domains only for apache, and not handle mails. | ||
- | * Add all the virtual domains / pseudonyms combinations | ||
==== Automatically create the home dir on first connection ==== | ==== Automatically create the home dir on first connection ==== | ||
- | | + | If we want everything to be dynamic, the home directory of users should be created on the fly on the first connection. This can be achieve with: |
- | * Create a script to create it as a root preexec | + | |
+ | * root preexec: if the user tries to access his personal | ||
==== Switch to qmail-ldap (or another LDAP aware MTA, like postfix) ==== | ==== Switch to qmail-ldap (or another LDAP aware MTA, like postfix) ==== | ||
+ | |||
+ | qmail-ldap (see http:// | ||
+ | |||
* Add required schema to LDAP | * Add required schema to LDAP | ||
- | * switch to qmail-ldap | + | |
+ | | ||
==== Modify qpsmtpd to use LDAP ==== | ==== Modify qpsmtpd to use LDAP ==== | ||
- | * Replace goodrcptto with an LDAP equivalent (rcpt_ldap | + | * Replace goodrcptto with an LDAP equivalent (rcpt_ldap) |
==== Modify esmith:: | ==== Modify esmith:: | ||
* Read operations should first try to read LDAP directly | * Read operations should first try to read LDAP directly | ||
* Write/read fallback to standard flat file DB | * Write/read fallback to standard flat file DB | ||
+ | |||
==== Configure OpenLDAP as a proxy ==== | ==== Configure OpenLDAP as a proxy ==== | ||
==== Disable user/group managements ==== | ==== Disable user/group managements ==== | ||
- | * Make it possible to disable user and group management | + | * Make it possible to disable user and group management. When a SME Server is using a remote LDAP server, we should prevent user/ |