UDS Maverick: Call for Blueprints for Ubuntu Server

Veli-Matti Lintu veli-matti.lintu at opinsys.fi
Wed Apr 28 19:38:41 UTC 2010

ke, 2010-04-28 kello 14:32 -0300, Andreas Hasenack kirjoitti:

> Having said that, I would certainly be interested in problems with my
> DIT and phpldapadmin or any other tool out there. I can think of one
> already which might break stuff out there, and that is the choosing of
> groups I made which follows RFC2307bis, and not RFC2307. Not all tools
> can cope with that (like smbldaptools, although it's trivial to fix it).

Lately I've been involved in creating OpenLDAP DIT for schools running
on Lucid and one thing that I've been wondering is whether it would be
possible to define one standard structure for Ubuntu that all tools
would be configured to use by default. That wouldn't take away the
possibility of configuring everything differently, but all tools and
tutorials would follow this one model.

Out of curiosity I checked what the defaults are in different systems.
If I got things written down correctly, the different default structures
I could find were:

Hardy slapd package init script and OpenDS:
* ou=People
* ou=Groups

* ou=Users
* ou=Groups
* ou=Computers
* ou=Idmap

openldap-dit and openldap-mandriva-dit are based on RFC2307bis:
* ou=People
* ou=Group
* ou=Hosts
* ou=System Accounts
* ou=System Groups
* ou=Kerberos Realms
* ou=Idmap
* ou=Address Book

Fedora / FreeIPA uses something completely different:
* cn=users,cn=accounts
* cn=groups,cn=accounts
* cn=computers,cn=accounts
* cn=services,cn=accounts
* cn=account inactivation,cn=accounts
* cn=Kerberos

Now different tools have different defaults and tutorials use randomly
some names that probably confuse many people.

Having one standard DIT that is installed by default would help a lot
with external applications that are not packaged for Ubuntu. For example
Moodle that is used in schools can use LDAP, but it needs to be
configured properly. Writing a guide for that gets a lot easier if
standard structure is available.

> In fact, one of the things we talked about in the past UDSs, and which
> was done on the slapd package, is to make it so that other packages
> could hook into slapd and fill it with their schema and trees. This is
> possible because of the LDAPI authentication we have in place, which
> maps root (unix id 0) to the ldap admin, so any client that runs as root
> and connects to the LDAPI socket will be the ldap admin. Thus a package
> would be able to, say, inspect the existing schema, upload its own, etc.
> Think about that pdns-backend-ldap package asking in its postinst
> permission to configure the locally running ldap server for its needs,
> for example (with the default answer being "no, don't do that").

> While some (most?) seasoned ldap admins would run away crying just by
> the thought of that, surely LDAP newbies would appreciate it.

As I wasn't aware of openldap-dit until recently, I've been working on a
script to initialise slapd w/ssl and mit kerberos. The idea is that the
script first checks which schemas and modules are installed and then
adds the missing schemas and modules and configures them. It makes also
possible to dump current configuration and check for common problems
with ssl certificates and such. I try to get it uploaded somewhere soon
so that others can see if it'd be helpful.

Automatically loading the schemas sounds good, but how to configure
overlays and ACLs for everything is something that would probably need
some other solution. E.g. we have some needs for ACLs that probably
don't make sense outside schools, but are needed for us as we have
school districts, schools, superusers, school admins, teachers, pupils,


More information about the ubuntu-server mailing list