martin f krafft said: > Hi there, > > This will probably be a lengthy discussion. I appreciate any helpful > comments. I also searched the lists and web but couldn't find good > information.
maybe I can help :) > 1. Select three servers to be the LDAP servers, configure them all for > ldap-ssl (no clear-text here) and then hook them into > a master-slave configuration with two of them mirroring the primary > one. I'll use bind9 round-robin to do some fairly unadvanced > load-balancing between them, and should be able to deal with the > failure of one of the three servers fairly easily. be aware that openldap's "mirroring" is one-way master->slave not slave->master. All updates are required to be performed on the master. You can do the updates on the slave, but the commands are just passed transparently to the master(cleartext) to be processed on the master, then propogated back to the slave. I would reccomend for best security to only authenticate off the slave servers, and do not setup referrers on the slaves. That way all of the data accessable by the servers is read only. Worst case is the slave perhaps can get curroption but that won't affect the master. > > 2. Move user management to the LDAP tree. Ideally, I want /etc/passwd > to contain no user but root and the various other defaults that Debian > installs. All users for all systems should be placed in > a global LDAP tree, with each user's record specifying what systems > s/he may log in to. I've done this. infact I've gone farther by putting all the default accounts in ldap too(Even though they aren't really used through ldap). > 3. Separate the mail users from the real users. About 70% of my users > never log in and simply use IMAPs or POP3s to retrieve their mail. > These should also live in the LDAP tree, but possibly under > a different subtree. I'd like to keep using postfix + courier to handle > all mail tasks. Is this possible, or should I start looking into cyrus? only way I can think of to have seperate users is to set the 'mail only' accounts to have a shell of /dev/null. Or perhaps something else like /usr/local/bin/bash, and only make /usr/local/bin/bash available on those systems which you want these users to login to. the rest of the systems would have no such file. postfix can handle it all, what you use for IMAP/POP3 is not important, postfix will translate the LDAP account into a local user account, the MDA need not know LDAP even exists. > 4. Put major user configuration items (like .forward, spamassassin) > into the LDAP tree. I am sure postfix can handle this particular one > somehow, and one can probably hack solutions up for other proggies. This I have never tried, though possible, I don't really see any advantage to doing it over using a distributed filesystem like AFS which you mention your planning on using ? > > 5. Put major system configuration (postfix, bind9, apt, etc.) into the > LDAP tree. haven't tried this either myself. I thought about doing DNS in LDAP, I've read about it, but my DNS zone files are setup so nicely.. so I haven't tried it. > I do have one question on LDAP: Can it be used as a relational > database? For instance, I would like to have a list of systems that a > user may use for login stored for each user. Can I link the systems out > of a different subtree (that I use for system configuration in step 5), > or would I need to duplicate the information? as for relational database, I am not certain what you mean, but if your referring to host based authentication yes you can do this, I have not updated my LDAP howto on how to do it but its easy: the LDAP entry needs to have an objectClass: account then create a 'host' entry. e.g. host: mail35.mydomain.com 1 host entry per host that user is allowed to login to. then in /etc/pam_ldap.conf set this: pam_check_host_attr yes then in /etc/pam.d/* for the services you want to use LDAP with, you need to first configure it to use ldap, but instead of using 'sufficient' as I have in my LDAP howto, it needs to say required. You can test it using sufficient, e.g. set it in ssh, if you ssh in the message 'access denied for this host' should show up, but that won't actually be enforced until you set the pam entry to required, at which point it would disconnect you. I find this particularlly cool because you can disable su this way, if you don't plan to login to a server for a long time, edit the root ldap entry, and remove the hosts entries for that user for the hosts you don't plan to su on, and if you try to su, even if you have the right password it blocks you access(again, provided you set 'required' in /etc/pam.d/su). You can do the same for the console by changing /etc/pam.d/login, set it to required and not even root can login at the console anymore! > Or would PostgreSQL be a better albeit not as performant choice in the > first place? LDAP I think is the way to go for the majority of the stuff, much of the software and support is already out there. storing files in LDAP is possible(i've done it through netscape roaming) but its by no means easy(IMO), I think you should start basic then look into the file storing stuff later. nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
