TWiki> Users Web>LDAPInstallationManual (20 Jan 2009, IvanaCace)EditAttach

LDAPInstallationManual

Overview

To get a ldap backend for ops you will need to take the steps described below. It is entirely possible that your company already uses ldap, in that case you can skip at least some of these steps:
  1. get and install ldap (make sure it has a back-hdb backend)
  2. add the ops schema to the backend
  3. configure ldap: add the organisational units and entries used by ops (see OpsLDAPLayout)
  4. fill ldap: users, admins, former emloyees as well as calendars and timesheets for each user (see OpsLDAPLayout)

Installation Instructions ( including adding the ops schema)

To run OPS you need ldap with a back-hdb backend. For elaborate instructions on how to install and configure ldap see http://en.tldp.org/HOWTO/LDAP-HOWTO/. Brief instructions on how to get it going in Debian:
  • apt-get install slapd
  • fill in domain name, ldap root, and admin passwd
  • edit /etc/ldap/slapd.conf like detailed below

slapd.conf 

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/ops.schema
include         /etc/ldap/schema/authldap.schema
Here we've added ops.schema to the list for some specific objects and attributes. The schema can be downloaded from the project page and must be placed in /etc/ldap/schema/. The other schema's are also used, not only for ops but for things like authentication and such. 

# TLS options
TLSCipherSuite          ALL
TLSCACertificateFile    /etc/ldap/cert/yourCAcertfile.pem
TLSCertificateFile      /etc/ldap/cert/yourcertfile.pem
TLSCertificateKeyFile   /etc/ldap/cert/yourkeyfile.pem

password-hash   {SSHA}
security tls=128
Always use tls to ensure your privacy.

In the following, replace yourdomain.tld by your domain. e.g. openprojectservice.org becomes dc=openprojectservices,dc=org 


access to attrs=userPassword
        by dn="cn=admin,dc=yourdomain,dc=tld" write
        by anonymous auth
        by self write
        by * none


access to dn.base="" by * read
This makes sure that anyone can authenticate and that the owner and the admin can change the passwords. The last line is important for a correct opperation of sasl. 
access to *
        by dn="cn=admin,dc=yourdomain,dc=tld" write
        by dn="uid=auth,ou=Users,dc=yourdomain,dc=tld" read
        by users read
        by * none

Only admin can change everything. The 'uid=auth' is used for imap. To use the Timesheet archive functions you need a user that can change things(the lastarchiverun to be precise). It is possible to do the archiving with admin, but you can add a user with write priveleges like so: 

        by dn="uid=username,ou=Users,dc=yourdomain,dc=tld" write

-- IvoVanDongen - 14 Oct 2005

Edit | Attach | Print version | History: r12 < r11 < r10 < r9 < r8 | Backlinks | Raw View | More topic actions
Topic revision: r12 - 20 Jan 2009 - 08:48:29 - IvanaCace
Users.LDAPInstallationManual moved from Users.LDAPUserManual on 19 Jan 2009 - 17:05 by IvanaCace - put it back

tip TWiki Tip of the Day
Creating a Table of Contents
The TWikiVariables % nop TOC% will automatically create a table of contents for a topic based on the ... Read on Read more

 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback