[Date Prev][Date Next] [Chronological] [Thread] [Top]

Newbie conceptual issues (long)



Hi All-

I'm a newbie to LDAP and OpenLDAP, but I've read the 
faq, searched (and browsed) the archives, searched 
Google, etc, so please don't flame me.

I'm having a difficult time understanding some of the 
conceptual basics with designing and creating a 
Directory namespace, creating the Directory database 
itself, adding branches to it, etc.

Just so you know where I'm at and what I've read:
Server OS: SuSE 9 (i386)
OpenLDAP version: 2.1.22-73 (from SuSE rpm)
 (properly configured to do authentication of rootdn
  against KDC via SASL/GSSAPI)
Running MIT Kerberos 5, v1.3.1 (built from source)
Running OpenAFS 1.2.11 (built from source)
Running Cyrus SASL 2.1.15-65 and associated plugins
 (from SuSE rpm)

I've read the relevant portions of:
LDAP System Administration (ORA, 2003) by Gerald Carter
SuSE 9 Administration Guide
OpenLDAP FAQ-O-Matic
http://www.bayour.com/LDAPv3-HOWTO.html#4.4.2.Installing%20Cyrus%20SASL%7Coutline
(OpenLDAP, OpenSSL, SASL and KerberosV HOWTO)
RFC 2849
man 5 ldif
OpenLDAP 2.2 Admininstrator's Guide (including, but not
 limited to the Quick-Start Guide

The difficulty that I'm having is with creating (and 
really understanding what I'm doing) the database by 
adding entries, and figuring out how to write LDIF 
files that accomplish that goal.

My ultimate goal is to do something along the lines of 
what Turbo did in his HOWTO and adding support for 
OpenAFS as well, but right now I'm just trying to 
understand some of the basics.

For example, my ORA book describes setting up a very 
simple namespace (am I using that word correctly 
here?) like so:

[dc=plainjoe,dc=org]
	|
	|
	|
	|
   [ou=people]
       /|\
      / | \
     /  |  \
    /   |   \
[Employee Contact Information]

They claim that ldapadd'ing the following LDIF file 
does so.

======================
## Build the root node.
dn: dc=plainjoe,dc=org
dc: plainjoe
objectClass: dcObject
objectClass: organizationalUnit
ou: PlainJoe Dot Org

## Build the people ou.
dn: ou=people,dc=plainjoe,dc=org
ou: people
objectClass: organizationalUnit
======================

I did this without error and I think I understand what 
this did.  It created, just below the top (or root) 
node (dc=plainjoe,dc=org), an empty node (ou=people) 
that is for containing people nodes (cn=Gerald 
Carter).

Later, the book describes a namespace that looks like 
this (please pardon my ascii art):

	[dc=plainjoe,dc=org]
	|	|	|
	|	|	|
    [ou=group]	|    [ou=services]
      /|	|		|\
     / |   [ou=people]		| \
    /  |           /|\		|  \
   /   |          / | \		|   \
[admin	    ]    /  |  \	[application data]
[groups &   ]   /   |   \
[posixGroups]  /    |    \
              /     |     \
	[Employee Contact Information]

But the author does not describe exactly how he created 
it in the form of LDIF files.  I suppose I should 
already know that by extension of the first example, 
but I don't... call me dumb...

I have this feeling that my Directory will need, just 
below the root or top node, something similar to the 
namespace depicted above.

Well, I populated the (formerly empty) container node 
(ou=people) with two people using LDIF files like 
this:

==========================
## LDIF entry for "Maria M. Asciolla"
dn: cn=Joe M. Blow,ou=people,dc=plainjoe,dc=org
cn: Joe M. Blow
sn: Blow
mail: joe@plainjoe.org
departmentNumber: Management
pager: 222-555-6789
objectclass: inetOrgPerson
==========================

That worked fine, and I see that for an objectclass of 
inetOrgPerson, there are no required attributes.

But in trying to add the other two first-level nodes, I 
got hung up in required attributes (I figured that 
objectclass should be posixGroup and posixAccount 
and ... not sure what type objectclass for the 
[services] node depicted) in my LDIF files.  Through 
trial and error, I successfully added three other 
first-level nodes, but are they container nodes?  It 
seems that they are not.

I ldapadd'ed this LDIF file:
==========================
dn: cn=Manager,dc=plainjoe,dc=org
cn: Manager
objectClass: organizationalRole
==========================

And learned that cn was a required attribute for the 
organizationalRole object class.  How would I use this 
anyway?  Connections between the people nodes and the 
organizationalRole nodes?  Like a linked relational 
database or something?

But this doesn't seem to be a container node like my 
original [ou=people] first-level node.  How would I 
make it one (presuming that I would want to do so, 
which I'm not sure if I do or not---I read a sidebar 
in my book about the pros and cons of wide and shallow 
or deep and narrow Directories).

Then I ldapadd'ed this LDIF file:
==========================
dn: cn=Group,dc=plainjoe,dc=org
cn: Group
gidNumber: 1000
objectClass: posixGroup
description: The first group in the list
==========================

And learned that cn and gidNumber are both required 
attributes for the posixGroup object class (which is 
described in the nis.schema file as "Abstraction of a 
group of accounts").

Again, this doesn't seem like a container node.  Should 
it be?

Then I ldapadd'ed this LDIF file:
==========================
dn: cn=Account,dc=plainjoe,dc=org
cn: Account
ou: Account
uid: adam
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/adam
objectClass: organizationalUnit
objectClass: posixAccount
description: This is the first user
gecos: Adam Selene
==========================

And learned about the required attributes of the 
posixAccount objectclass, but also learned about the 
requirement of some object classes to have a 
structural object class (which is why I added the 
organizationalUnit class), but I feel like I'm missing 
some important understanding.

For example:
1) what are the structural classes?  I know they're all 
defined in the *.schema files, but is there an easy 
way to list them all?

2) And what makes it a structural class as opposed to 
an auxiliary or abstract class?

3) And just how many objectClasses can a node in the 
Directory have?

4) Am I just glomming the attributes of each object 
class together to make a node that is some sort of 
superset of both object classes?

5) If so, then I guess I should just choose the object 
classes I need (based on the attributes I'll need) to 
create the type of node that I want (ultimately, 
something to represent all the characteristics of a 
user on a network: uid, OpenAFS UID, Kerberos 
principal, home directory, etc. etc. etc.).  Is that 
right?

6) If both posixAccount and posixGroup object classes 
are abstract, then why didn't I need a structural 
class for posixGroup?

I guess I'm just feeling like I have an infinite range 
of options (which I'm sure is a good thing, once I 
understand more) and no real idea what direction to go 
and how to learn some more of the basics.  The RFC was 
too specific for my understanding, the book (I think) 
should have had more examples for my understanding, 
and explanation about why you might want to do this or 
that.  The other docs don't seem to address the 
hole(s) that I feel like I have in my understanding.

To be honest though, I think that just through 
composing this long post, I understand the issues alot 
better than I did before composing it, but I still 
feel like I'm missing some important things.  Can 
anyone recommend a good document or two to read to 
help me get past that initial stage in learning about 
LDAP?

If you've read this far, then I thank you and apologize 
for the length of this post.  I'm torn on whether to 
send it because I do understand some things better 
now, but still think that a little helping hand would 
probably do wonders for me.

Thanks for being patient.

-Kevin