[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
1 schema to BIND them all?
Hi all,
Currently my environment (is a mess and) uses a combination of flat
files (DNS, DHCP), Hesiod records, and a mishmash of other things
to keep track of hosts and host-related data (MAC addrs, IPs, names,
etc) and user accounts, groups, and the like.
I'd like to centralize everything into LDAP. I do NOT want to
actually replace BIND with LDAP, rather, use LDAP as the centralized
repository for the canonical information from which I can create the
BIND zone files.
My envisioned LDAP hierarchy looks like this:
______________________________/_____________________________
| | |
people netgroups __sys__
/ \ / \ / \
users groups people systems networks hosts
| | | |
<users> <groups> client server qa servers desktops
ops depl support lab prod dmz
techwrit hr fin
mgmnt mktg
Does this look reasonable?
My entries would look something like:
# basic user entry
dn: uid=<uid>,ou=users,ou=people,dc=foo,dc=com
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: nisNetgroup # this works if you change the definition
uid: # to AUXILIARY, from STRUCTURAL
loginShell:
uidNumber:
gidNumber:
homeDirectory:
gecos: <gecos>
cn:
sn:
givenName:
employeeNumber:
mail: <company e-mail address>
otherMailbox: <non-company e-mail address>
telephoneNumber:
homePhone:
mobile:
pager:
fax:
manager: <dn of manager>
memberNisNetgroup: <dn of 1st netgroup of which user is a member>
memberNisNetgroup: <dn of Nth netgroup of which user is a member>
# basic host entry
dn: cn=<hostname>,ou=hosts,ou=systems,dc=foo,dc=com
objectClass: ipHost
objectClass: ipNetwork
objectClass: ieee802Device
objectClass: nisNetgroup
cn: <alias>
cn: <FQDN>
ipHostNumber: <ip addr>
ipNetworkNumber:
ipNetmaskNumber:
memberNisNetgroup: <dn of 1st netgroup of which this host is a member>
memberNisNetgroup: <dn of Nth netgroup of which this host is a member>
# basic netgroup entry
dn: cn=<netgroup name>,ou=systems,ou=netgroups,dc=foo,dc=com
objectClass: nisMap
objectClass: nisNetgroup
cn: <netgroup name>
nisMapName: netgroup
memberNisNetgroup: <dn of 1st hostname which is a member>
memberNisNetgroup: <dn of Nth hostname which is a member>
# basic netgroup entry
dn: cn=<netgroup name>,ou=people,ou=netgroups,dc=foo,dc=com
objectClass: nisMap
objectClass: nisNetgroup
cn: <netgroup name>
nisMapName: netgroup
memberNisNetgroup: <dn of 1st user which is a member>
memberNisNetgroup: <dn of Nth user which is a member>
Notice that I'm cross-referencing between individual host and user
entries and netgroup entries. This same cross-referencing would also
exist for groups as well. Is this too much? Is it worth the
cross-referencing from a data-management perspective?
Also, looking at the 'user' entries, I wanted to be able to
differentiate between the company e-mail/phone and non-work e-mail/
phone. However, I can't seem to find a ready-made way to do that for
e-mail.
There exist attributes for 'telephoneNumber', 'homePhone', 'mobile',
'pager', and 'fax', but only one attribute for 'mail'.
The 'otherMailbox' attribute at first glance, appeared to be what I
wanted, but in reality seems not to be intended for use as
'rfc822Mailbox'-style attribute.
I was really hoping to avoid having to roll my own schema definition.
Is anyone else doing this? If so, did you create your own schema, or
use combinations of those which ship with OpenLDAP?
Thanks,
--
Seeya,
Paul
GPG Key fingerprint = 1660 FECC 5D21 D286 F853 E808 BB07 9239 53F1 28EE
If you're not having fun, you're not doing it right!