Michael Oberg - Freiberuflicher EDV-Berater und Software-Entwickler
Frame Version
Dienstleistungen
myLinux.de
myLinux.en
History
Tasks
LDAP
schemas
pam_ldap
sendmail
Cyrus IMAPD
Apache
Samba
slapd.conf
LDAP-Explorer
Further Features
Compilation
Changelogs
Downloads
Impressum


HOME

LDAP

The main part of the myLinux server is openLDAP. This listing service includes the following tasks:

Address book

  • automatically produced entries for all users
  • external contacts

Each Mailclient with LDAP support (for example Microsoft Outlook, Outlook Express, Lotus Notes, Netscape Messenger, Eudora, Pegasus, KMail, Ximian Evolution...) can use at least the email addresses stored in LDAP and search for name/first name, probably also ask for further data (telephone numbers, addresses etc., up to linking of entries like "managers" and "coworkers"). The LDAP system was optimized for Microsoft Outlook (see schemas).

Additionally the download of the directory contents is possible as a HTML table and/or a Microsoft Excel Sheet using a CGI script (ldap2html.pl). This script can be also used for a "Web Query" by Microsoft Excel or Microsoft Access.

Authentication

  • UNIX (ssh, su, login over pam_ldap)
  • Sending mails (sendmail over pam_ldap)
  • Receiving mails (Cyrus IMAPD over SASLAuthD/PAM/pam_ldap)
  • Web services (Apache over mod_auth_pam)
  • Windows Domain Logons / Windows file services (Samba with a separate password entry in LDAP, synchronized with the entry used by the other services by a script of the myLinux user manager)

Access Rights

  • Membership in UNIX groups (by nss_ldap)
  • Using of these groups in web services (Apache over mod_auth_pam/mod_auth_sys_group)

Email Configuration

  • Mapping email aliases to users
  • Different Domains with virtual users
  • Different Mailserver (cluster)

See also sendmail.

Dedicated Access to LDAP

Accesses are divided by default into three classes:

  • LDAP administrator, authenticated by registered password entry in /etc/openldap/slapd.conf - full access to all LDAP components
  • Members of the LDAP Admin group own write access on LDAP groups (here LDAP Admins and DATA Maintain) and on UNIX groups, so they can assign permissions by adding and/or removing group members
  • Members of the DATA Maintain group own write access on all external contacts and are also able to delete these and/or add new ones. In addition they also own write access on all non-critical data of system users (telephone numbers, address etc.)

See also slapd.conf.

Administration of LDAP entries is possible by using the LDAP-Explorer.