It took a lot of digging to figure out how I should approach choosing a good LDAP directory layout for my house but Michael Donnelly seems to have an answer
I like. I created Organizational Units to hold all the people and all the computers. I want to have a few canonical OUs that hold the base records for each of these things then have other OUs that reference them and group by access. I don't know that I have it all figured out right just yet, but phpLDAPadmin
makes it simple to move things around. Just make sure to hit the "Purge caches" link if you move stuff on one computer then view it on another.
At the moment my layout is kind of like this:
+-- ou=devices (2)
| +-- cn=Copper
| +-- cn=Ruby
+-- ou=groups (1)
| +-- cn=users (3)
| +-- cn=El Dapper
| +-- cn=Jeff Schiller
| +-- cn=Rob Russell
+-- ou=people (4)
I had planned to put all the people under ou=people,dc=local then somehow have a reference to a user account under cn=users,ou=groups,dc=local but I don't know how to do that. I might just end up using ou=people,dc=local as an address book with all the contact info I have for everybody I know.
So far a person in the users group can log in to either of the Linux computers I have at home. That's because the entries under users (like "cn=Rob Russell,cn=users,ou=groups,dc=local") are have an objectClass of posixAccount. That is to say they contain the user id (in the uid attribute) and password (really an MD5 digest of the password) that the user enters to log in. I also used the User Management tool in Yast to enable LDAP as an authentication source for logins.
One thing to remember about LDAP is that you don't need to use the entire tree structure all the time. What I mean is that searches can be very specific and describe where in the tree the record should be or they can be very vague and just specify, for example, "cn=Rob Russell".
I don't think I have an ideal structure right now but I had to commit to something in order to keep moving on my overall LDAP-at-home plan
. This should last at least until I'm ready to do address books and that's a long way off at my rate. I also know I'm likely going to need to rearrange things to handle Windows logins, so there should be a few more changes coming yet.