My LDAP Tree So Far
It took a lot of digging to figure out how I should approach choosing a good LDAP directory layout for my house but Michael Donnelly seems to have an answer I like. I created Organizational Units to hold all the people and all the computers. I want to have a few canonical OUs that hold the base records for each of these things then have other OUs that reference them and group by access. I don't know that I have it all figured out right just yet, but phpLDAPadmin makes it simple to move things around. Just make sure to hit the "Purge caches" link if you move stuff on one computer then view it on another. At the moment my layout is kind of like this:
dc=local (3)
+-- ou=devices (2)
|   |
|   +-- cn=Copper
|   +-- cn=Ruby
|
+-- ou=groups (1)
|   |
|   +-- cn=users (3)
|       |
|       +-- cn=El Dapper
|       +-- cn=Jeff Schiller
|       +-- cn=Rob Russell
|
+-- ou=people (4)
    |
    +-- cn=Alex
    +-- cn=Candace
    +-- cn=Jack
    +-- cn=Jeff
    +-- cn=Zack
I had planned to put all the people under ou=people,dc=local then somehow have a reference to a user account under cn=users,ou=groups,dc=local but I don't know how to do that. I might just end up using ou=people,dc=local as an address book with all the contact info I have for everybody I know. So far a person in the users group can log in to either of the Linux computers I have at home. That's because the entries under users (like "cn=Rob Russell,cn=users,ou=groups,dc=local") are have an objectClass of posixAccount. That is to say they contain the user id (in the uid attribute) and password (really an MD5 digest of the password) that the user enters to log in. I also used the User Management tool in Yast to enable LDAP as an authentication source for logins. One thing to remember about LDAP is that you don't need to use the entire tree structure all the time. What I mean is that searches can be very specific and describe where in the tree the record should be or they can be very vague and just specify, for example, "cn=Rob Russell". I don't think I have an ideal structure right now but I had to commit to something in order to keep moving on my overall LDAP-at-home plan. This should last at least until I'm ready to do address books and that's a long way off at my rate. I also know I'm likely going to need to rearrange things to handle Windows logins, so there should be a few more changes coming yet.
0
Your rating: None

Hi,

You don't mention if you are using OpenLDAP, but if you are you can use the Dynamic List overlay to create you users group, from your People organisational unit:

"The dynlist overlay to slapd(8) allows expansion of dynamic groups and more. Any time an entry with a specific objectClass is being returned, the LDAP URI-valued occurrences of a specific attribute are expanded into the corresponding entries, and the values of the attributes listed in the URI are added to the original entry."

e.g.:

dn: cn=users,ou=groups,dc=local
objectClass: groupOfURLs
cn: users
memberURL: ldap:///ou=people,dc=local?uid?sub?(objectClass=posixAccount)

See man slapo-dynlist

Thanks,

Gavin.

Yeah, it's OpenLDAP on an OpenSuse 10.2 install.

From the man page:
Any time an entry with a specific objectClass is being returned, the LDAP URI-valued occurrences of a specific attribute are expanded into the corresponding entries, and the values of the attributes listed in the URI are added to the original entry.

So if I understand your snippet correctly, the URL ldap:///ou=people,dc=local?uid?sub?(objectClass=posixAccount) would be expanded to find additional posixAccount entries from people when I query users. Sounds like it could be just what I'm looking for.

Thanks for the pointer, right now I'm working on getting a basic login page completed but after that I'll be back to rearranging the tree again to get to the next step. When I get there the dynlist overlay will make a cleaner structure for me.