I have found plenty of resources/tutorials on installing OpenLDAP on Ubuntu, and I have successfully configured my server (up and running and successfully authenticating). My question relates to how I should setup the schema as I can not seem to find any useful resources on this. I am also starting to think I am trying to make LDAP do more then it was intended to do so please feel free to point this out if that is the case. Here is my scenario:
3 Servers with various LDAP capable applications on each (mostly web based) 3-5 classes of users (developers, interns, customers, managers, etc), each class of user requires access to a subset of all the applications
What I had thought to do is to assign each user to some 'role', and then grant application permission to the role rather then the user. That way when I add new users I only have to assign them a role rather then access to individual applications. Also that way if we added a new app or decided a class of users should have access to some existing application then it would only require updating the role rather then every user.
Is this some I can/should do with LDAP, or should I be looking at an alternative such as samba?
You should be able to do what you want using regular groups. Put all your users under
ou=People, then map people to groups underou=Groupand teach your apps to look at the membership of the relevant group(s).I found this article useful: LDAP Tree Design. Womble's remark that you want to put all users under ou=People is one of the points examined.
This is definitely within the expected usage of LDAP. All LDAP enabled applications should work with group based access control.