Re: Which schema?

[Stefan Alfredsson <bulk@alfredsson.org>]

On Wed, Jan 09, 2002 at 03:48:50PM -0600, Tony Bibbs wrote:
> I want to create a *very* simple LDAP database for the users of the
> system.  At a minimum I need to store the userid,username,password and,
> possibly, their email address.
> 
> I'm not really sure if any of the stock schema with OpenLDAP have all
> the fields I need (for NIS one, for example, has most of what I need
> except the password).

well, the posixAccount objectclass has a userPassword that you can use,
for example. The downside with posixAccount in your case is that you
must also define a cn, guidnumber and homedirectory for each user.

you would also need another objectclass which includes the mail attribute.

See the /etc/ldap/schema/* files (in debian atleast, location may vary)

> The password in this instance will not be a valid
> system password, rather, an application-level password. My question is
> should I start with a simple schema of my own for this?

It would be simple to create your own objectclass that contains only
the attributes you need, but you would also need an OID branch to
make the objectclass unique (see earlier discussions on the list)

> Also, are there
> security considerations for storing the password in the LDAP database? 
> My plan was to store an MD5 hash of the user's password.
> 
> Also, if you think I'm going down the wrong path for this let me know. 
> However, based on what I have read, LDAP is a logical solution.

I think that if all you need are those four attributes, maybe it would
be easier to keep it in a relational database (eg. mysql), all in one table.
Maybe even a plain file would suffice?
LDAP seems a bit overkill for this.

Another idea springs to mind; You could turn schema checking off, and
you would not need any objectclasses at all.. just use whatever attributes
you feel like. Be sure to be aware of any implications of disabling
schema check though.

> --Tony

regards,
 Stefan