LDAP

From RevSpace
Revision as of 23:10, 22 March 2024 by Shiz (talk | contribs) (Add shell server configuration documentation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

The Lightweight Directory Access Protocol (LDAP) is used in RevSpace in most places where authentication is required.

Backend

  • Server: ldap2.space.revspace.nl
    • IP: 10.42.42.9
    • Port: 636 (TLS)
  • Software: slapd (openldap)
    • Config: /etc/ldap/slapd.conf
  • Database: LDIF (for easy recovery/editing)
    • Location: /var/lib/ldap/data
  • ACL: yes

Access

  • From ldap2 itself: # shelldap
  • From anywhere in the space network: ldap2:636 (TLS)

Layout

dc=space,dc=revspace,dc=nl
`-+- ou=groups         # groepen van entiteiten (optioneel posixGroup)
  |  `-+- cn=board        # groep van bestuursleden
  |    `- cn=sudo         # groep van sysadmins
  +- ou=people         # natuurlijke personen
  |  `- uid=...
  +- ou=services       # niet-natuurlijke personen
  |  `- cn=...
  `- cn=admin          # fallback admin account (emergency, console access, hardcoded in slapd.conf)

Services

Configuration

Shell servers

The Debian shell servers use libnss-ldapd, with a few caveats:

  • /etc/nslcd.conf needs to be configured with a service DN and bind password specific to that shell server.
  • To get auxiliary groups working (like sudo), ldap needs to be first in the group entry in /etc/nsswitch.conf.