Default LDAP DIT for user and group managment

Registered by Mathias Gug on 2008-06-03

Provide a default DIT to enable User and Group management using an Ubuntu Server as the LDAP directory.

Blueprint information

Status:
Not started
Approver:
None
Priority:
High
Drafter:
None
Direction:
Needs approval
Assignee:
None
Definition:
Drafting
Series goal:
None
Implementation:
Not started
Milestone target:
None

Related branches

Whiteboard

dendrobates: This is a good idea, but I would like to see a community discussion about DIT layout. i.e. the use of dc=example,dc=com, over o=example.com. I have almost always used dc, but not for any good reason.

ru: having DIT in any form is very important for corporations. this feature can (in future) replace MS AD ecosystem.

koptein: DIT and ldap means not (mail-, directory, or other) domains. dc=example,dc=com is for a domain, also o=example.com is a domain and both aren't very good for a bigger company structure. One example - for better clarification - i use .uk (or .de, nl, ...).

If you start with dc=example,dc=uk and your company grow up with another location, say example.br, how can s/o layout this new structure. Same for o=example.uk and o= or ou= or c= ... example.br? Always a new DIT for a new location? The important thing is not the domain (whatever domain), is is the name of the structure, the comany. So for one of the best (L)DAP implementation (NDS or eDirectory) nearly everyone recomends an o=example -- without any com, org, net, uk, br, ... and other locations (or parts of an comypnay like sales, hr, stock, ...) are in the second level in the DIT, like ou=br.
LDAP is not only for users and groups, what about computers, DNS, DHCP, Harddisk, Pools, Volumes (LVM), SoftwareRAID-Level, Rights, Clusterconfiguration, Loadbalancing, Routing, RIP, BGP, Applications and many more? Think bigger but start small.

ru: 2 koptein - And what to do if we have many companies at one server(s)? just create "o=MyCompany and o=AsteriskCompany and o=AnotherOneCompany"? What is the difference with "dc=MyCompany,dc=com and dc=AsteriskCompany,dc=com and dc=AnotherCompany,dc=com" ? We need some strategy for DIT with many locations / contries / companies.

2 all - From Ubuntu survey - it seems that Ubuntu server are usually used by SOHO, and they do not use Ubuntu as directory server because of lack DIT feature. For me it means that better to have DIT good for SOHO and suitable for big companies. From my point DIT in Ubuntu is most important feature in 9.04 release.

ru: is there any work with this blueprint? if not - may be use eBox as official DIT for Ubuntu?
or may be Canonical do not want to create any competitor to their proprietary Landscape. Is any ideas?

ivoks: let's break away from o=organization and dc=domain,dc=com. Clearly, both are false thinking since, as ru said, this logic doesn't cover more organizations under one 'o' or more domains under one 'dc'. Let's start thinking about server as a top organization. So, instead 'o=Organization Name', let's do 'o=Server Name'. That way we could have lots of organizations and lots of domains on the same server. We should just follow the logic of setup. We setup domain/organization on server - make the server top tree.

2009-04-29 ro: The implementation of a directory server is essential for Linux business adoption of all sizes - from small to medium to large enterprises. In the year 2009, central authentification should be available out-of-the-box, especially for a distribution that wants to conquer the (corporate) desktops and servers. There are a few good implementations out there (Mandriva Directory Server, eBox) which might inspire the work to be done in Ubuntu. An equivalent to Group Policies is important too, but out of the scope for this spec. However, an LDAP directory server is the foundation of all the other services built on top of it, so let's try to get it ready for 9.10.

2009-04-30 ro: If you like to think in larger scales, have a look at FreeIPA [http://freeipa.org/page/Main_Page]. It is an implementation by Red Hat/Fedora which provides exactly what is proposed here plus many things more. So not only centralized user/group authentication and management, but also e.g. Group Policies and Single Sign-on. The nice thing is, one if its main focuses is on usability and ease of administration in conjunction with flexibility. Isn't that what we sorely afflicted admins have been waiting for all the time? Btw, Bug #259547 ([needs-packaging] FreeIPA) covers exactly this.

2009-04-30 jpugh: The entire reason for a "directory" is to organize around your network. I disagree with ivoks view as having dc=server as this setup would create unnecessary traversal for trivial items. The logical setup is to allow a new directory installation to setup their own DIT the way they want to vs dictating what ubuntu thinks they need. Recommendations are ok and the standard since LDAP came on the horizon in the mid-90's have not changed much because they work. Keep it simple, because any relatively knowledgeable directory administrator will change it to suit the business. What is needed is a default schema discussion as the schema will dictate the ease of directory management. Unfortunately openldap still requires restart to reset the schema. I vote that we take the FreeIPA DIT and go with it. Ensuring that the "directory" enabled applications such as postfix/dovecot/apache all have the appropriate integration ready as well.

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.