OpenLDAP structure for use with multiple applications
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OpenLDAP structure for use with multiple applications
Hi all,
I'm thinking about the best way to organise my DIT in openldap on a CentOS7 for use with multiple applications.
The problem is when you create an OU for groups, other applications can see all the groups and that might get messy as there'll be alot of groups.
Example
dc=example,dc=com
ou=group
ou=people
If we create entries for authorisation groups under ou=group, and create the uid's for authentication under People; we would need to bind to the DN example.com as we need to access both people for logging in and group for authorizing access.
As you can imagine, if I want to select a group of proxy users, I don't want to see all VPN groups, Application groups and so on.
If working with multiple branches (and countries) what would be the easiest way to organise the groups and users (logins)
I haven't got alot of experience with openldap structuring as you might notice so any ideas are welcome.
Also in the future we would migrate to samba4 with AD but I read that it isn't recommended to use an external LDAP for samba, is there any way of creating the users on an external LDAP server and keep them in synch with the LDAPI of samba4?
The best way I have found, is to only bind a group to your application, instead of the entire directory. That way the application can only see what's in the group.
Yes I thought about creating OU's with the groups and users in them. But then I might have the need of a user in a sub OU or group that I need to authenticate in another application where I configure another sub OU or group. So I would need to duplicate the users. Or is there another way to create some sort of link for a user to be in multiple OU's for authentication. If I'd need to delete a user for instance that I can just delete it once and do not have to look in which sub OU's it is also located.
You wouldn't need to duplicate the users... do something like this:
OU= Group1
OU = Users
Keep all the users in Users and make which ever user you want part of another group this way it won't matter.. if we made a subgroup in Group1 called SubGroup1 and just added random users to that SubGroup it would work just fine. You don't duplicate users, you just add whatever users you want to whatever (sub)groups and then map that group to the application via LDAP bind.
I tried that but if I bind the group I can't authenticate my user anymore as the bind is only towards the group (I suppose).
I added the MemberOf overlay as it posed problems with a proxy server otherwise. But even with that, it doesn't authenticate the user in my group if I don't bind to the top level so it can also bind to the users OU
I tried that but if I bind the group I can't authenticate my user anymore as the bind is only towards the group (I suppose).
I added the MemberOf overlay as it posed problems with a proxy server otherwise. But even with that, it doesn't authenticate the user in my group if I don't bind to the top level so it can also bind to the users OU
What program are you trying to make with with ldap?
For the group filter I do something like this...
(&(objectclass=posixGroup) (cn=somegroup) (memberUid=*))
This works for me, (all my groups always have the posixGroup attribute, this is not really important, you can bind to any attribute if you want)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.