| --- |
| layout: post |
| status: PUBLISHED |
| published: true |
| title: The ASF LDAP system |
| id: d213da57-c1f8-4736-9c14-1b99765b974b |
| date: '2010-02-22 22:17:39 -0500' |
| categories: infra |
| tags: |
| - documentation |
| - services |
| - ldap |
| permalink: infra/entry/the_asf_ldap_system |
| --- |
| <p>When we decided some time ago to start using LDAP for auth{n,z} we had to come up with a sane structure, this is what we have thus far. </p> |
| <p> dc=apache,dc=org<br /> | --- ou=people,dc=apache,dc=org <br /> | --- ou=groups,dc=apache,dc=org<br /> | --- ou=people,ou=groups,dc=apache,dc=org<br /> | --- ou=committees,ou=groups,dc=apache,dc=org</p> |
| <p> As well as other OUs that contain infrastructure related objects.</p> |
| <p>So with "dc=apache,dc=org" being our basedn, we decided we needed to keep the structure as simple as possible and placed the following objects in the respective OUs:</p> |
| <ul> |
| <li>User accounts - "ou=groups,dc=apache,dc=org"</li> |
| <li>POSIX groups - "ou=groups,dc=apache,dc=org"</li> |
| <li>User Groups - "ou=people,ou=groups,dc=apache,dc=org"</li> |
| <li>PMC/Committee groups - "ou=committees,ou=groups,dc=apache,dc=org"</li> |
| </ul> |
| <p>Access to the LDAP infrastructure is connection limited to hosts within our co-location sites. This is essentially to help prevent unauthorised data leaving our network. </p> |
