Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentes Révision précédente Prochaine révision | Révision précédente | ||
smedev:make_everything_dynamic_with_ldap [30/03/2013 12:28] dani [Switch to rfc2307bis ?] |
smedev:make_everything_dynamic_with_ldap [01/08/2013 09:14] (Version actuelle) dani [Disable user/group managements] |
||
---|---|---|---|
Ligne 6: | Ligne 6: | ||
===== The goal ===== | ===== The goal ===== | ||
- | The goal I have is to have more things in LDAP, ultimately, adding users and groups shouldn' | + | The goal is to have more things in LDAP, ultimately, adding users and groups shouldn' |
===== In which way this can be useful ===== | ===== In which way this can be useful ===== | ||
Ligne 22: | Ligne 22: | ||
==== Modify a few things in LDAP ==== | ==== Modify a few things in LDAP ==== | ||
Here's a list of a few things which can be enhanced in LDAP | Here's a list of a few things which can be enhanced in LDAP | ||
+ | |||
+ | === Replace cpu === | ||
+ | LDAP users and groups are managed with [[http:// | ||
+ | * this tool isn't maintained anymore (last version was released in 2004) | ||
+ | * it only supports rfc2307 (see next chapter: switch to rfc2307bis) | ||
+ | * it won't let you add local users to LDAP groups (see http:// | ||
+ | * it's written in C, so a bit hard to enhance | ||
+ | |||
+ | I think it'd be better to switch to a perl based tool, like [[http:// | ||
=== Switch to rfc2307bis ? === | === Switch to rfc2307bis ? === | ||
- | The main difference between rfc2307 (currently used) and rfc2307bis is the way groups are handled. The biggest advantage of rfc2307bis is the possibility to enabled the memberOf overlay. The memberOf overlay (see http:// | + | The main difference between rfc2307 (currently used) and rfc2307bis is the way groups are handled. The biggest advantage of rfc2307bis is the possibility to enabled the memberOf overlay. The memberOf overlay (see http:// |
- | (& | + | (& |
- | This filter would only matches | + | This filter would only match members of the **admins** group. |
+ | |||
+ | The problem here is that switching to rfc2307bis requires a modification of the structural objectClass of group objects (from posixGroup to groupOfNames), | ||
- | The problem here is that switching to rfc2307bis requires a modification of the structural objectClass of group objects (from posixGroup to groupOfNames), | ||
- | This would require to replace [[http:// | ||
=== Add smbk5pwd === | === Add smbk5pwd === | ||
- | smbk5pwd is a overlay which makes sure Unix and samba passwords stay in sync (as long as you use LDAP exop to chane the password). This would ensure password are in sync even if you change it from the command line using the passwd command, or with any other software which allow password modification through LDAP (SOGo, LemonLDAP:: | + | smbk5pwd is a overlay which makes sure Unix and samba passwords stay in sync (as long as you use LDAP exop to change |
See this bug: http:// | See this bug: http:// | ||
Ligne 42: | Ligne 51: | ||
Pseudonyms and all the variants with the different virtual domains should be added in LDAP | Pseudonyms and all the variants with the different virtual domains should be added in LDAP | ||
- | * Add all the virtual domains / pseudonyms combinations should be added in LDAP either as mail or mailAlternateAddress | + | * All the virtual domains / pseudonyms combinations should be added in LDAP either as mail or mailAlternateAddress |
* A new prop should be available to select the first/ | * A new prop should be available to select the first/ | ||
* Maybe we should add a prop to create domains only for apache, and not handle mails. | * Maybe we should add a prop to create domains only for apache, and not handle mails. | ||
Ligne 49: | Ligne 58: | ||
If we want everything to be dynamic, the home directory of users should be created on the fly on the first connection. This can be achieve with: | If we want everything to be dynamic, the home directory of users should be created on the fly on the first connection. This can be achieve with: | ||
* pam_mkhomedir: | * pam_mkhomedir: | ||
- | * root preexec: if the user try to access his personal folder through samba, we can also create it on the fly using a root preexec script defined in smb.conf | + | * root preexec: if the user tries to access his personal folder through samba, we can also create it on the fly using a root preexec script defined in smb.conf |
==== Switch to qmail-ldap (or another LDAP aware MTA, like postfix) ==== | ==== Switch to qmail-ldap (or another LDAP aware MTA, like postfix) ==== | ||
Ligne 57: | Ligne 66: | ||
* Add required schema to LDAP | * Add required schema to LDAP | ||
* Add required objectClass/ | * Add required objectClass/ | ||
- | * switch to qmail-ldap, or postfix, using an LDAP backend. | + | * switch to qmail-ldap |
==== Modify qpsmtpd to use LDAP ==== | ==== Modify qpsmtpd to use LDAP ==== | ||
* Replace goodrcptto with an LDAP equivalent (rcpt_ldap) | * Replace goodrcptto with an LDAP equivalent (rcpt_ldap) | ||
Ligne 64: | Ligne 74: | ||
* Read operations should first try to read LDAP directly | * Read operations should first try to read LDAP directly | ||
* Write/read fallback to standard flat file DB | * Write/read fallback to standard flat file DB | ||
+ | |||
==== Configure OpenLDAP as a proxy ==== | ==== Configure OpenLDAP as a proxy ==== | ||
==== Disable user/group managements ==== | ==== Disable user/group managements ==== | ||
- | * Make it possible to disable user and group management | + | * Make it possible to disable user and group management. When a SME Server is using a remote LDAP server, we should prevent user/ |