how to design the 'correct' ldap schema so I can selectively authenticate against certain services?

I'm playing around with LDAP and I'm trying to setup an ldap server that can be used to authenticate users against the following services:

• linux login (ubuntu)
• ssh login
• apache login
• mail (postfix & courier)
• bugzilla
• wiki
• ...

I (think) I understand the concept of objectClasses and I know that setting the following objectClasses for my users makes sense:

objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount

However, how do I deal with the web applications? Say I want user A to be able to login into bugzilla, but he shouldn't be able to login to the wiki? Or certain users should be able to login to Ubuntu locally, but are not allowed to ssh f开发者_开发问答rom remote. Do I solve this with objectClasses or with Group memberships?

Any hints and links to working examples are welcome!

Look at groups. Add the user to the appropriate group if they are allowed to login. Many tools can be configured to require group membership to allow access.

If I remember right groups can have a list of members, or be added to the individuals. If you have large groups, I would add the group membership data to the individuals.