[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Questions about OpenLDAP for account authentication

To: openldap-technical@openldap.org
Subject: Re: Questions about OpenLDAP for account authentication
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Fri, 3 Oct 2008 16:53:14 +0200
Cc: Phill Edwards <philledwards@gmail.com>
Content-disposition: inline
In-reply-to: <c92a75980810030511v6e1a9b6erd5e58e5b2b4c3481@mail.gmail.com>
References: <c92a75980810030511v6e1a9b6erd5e58e5b2b4c3481@mail.gmail.com>
User-agent: KMail/1.10.1 (Linux/2.6.27-desktop-0.rc7.5.1mnb; KDE/4.1.2; x86_64; ; )

On Friday 03 October 2008 14:11:26 Phill Edwards wrote:
> I have a linux server which provides a number of services such as
> samba, firewall, DNS, postfix, spam filtering etc to PCs on a small
> LAN. The client PCs on the LAN are Windows XP. I find it a pain when
> someone needs to change a password that you have to do it first on the
> PC, then make sure it's the same on the corresponding linux account
> and also for Samba. I thought I might use OpenLDAP so that there's
> only 1 password to change and was hoping I could use it to manage
> accounts. I've read a lot of HOWTOs but still have some questions.
>
> - Can I use an OpenLDAP frontend (eg JXplorer) and OpenLDAP to create
> new accounts on a linux machine, specify the group and have it create
> a new home dir etc (like when you run useradd)?

JXPlorer is a relatively generic LDAP frontend. I would probably set smbldap-
tools up correctly, and consider setting samba up as a domain controller (with 
accounts in LDAP). If done correctly, and you really need a GUI on Windows, 
"User manager for Domains" would work ...

smbldap-tools includes LDAP-enabled equivalents of {user,group}{add,mod,del}. 
I personally don't worry too much about creating the home directory at 
creation of the account in LDAP, as I use pam_mkhomedir to ensure that users 
get their home directory created wherever appropriate.

(The samba-specific aspects here are best discussed on a samba list).

> - Does openldap replace the need to have the accounts in /etc/passwd?

No, but nss_ldap (not part of OpenLDAP)  can read accounts from a directory 
server (including OpenLDAP), and present them to glibc as if they were in 
/etc/passwd.

The combination of nss_ldap and a directory server does replace the need for 
local accounts.

However, while you can authentication users with nss_ldap (via pam_unix etc.), 
you may prefer to consider using pam_ldap (or even better, pam_krb5 with 
Kerberos also using the accounts in LDAP) instead.

> Once I've copied the existing linux accounts from /etc/passwd, should
> I delete them from /etc/passwd using userdel so that I don't have the
> account in two places?

Yes.

> - I also want to use OpenLDAP to provide a common address book which
> will be used mainly by Outlook. I know that Outlook can query the LDAP
> address book, but can it also update it?

Not natively.

> It seems that there are lots
> of apps to query OpenLDAP but updating the entries is a little arcane.

Kmail and Evolution both work fine for me. If your OS has bad LDAP support ... 
well ...

Regards,
Buchan

References:
- Questions about OpenLDAP for account authentication
  - From: "Phill Edwards" <philledwards@gmail.com>

Prev by Date: AW: Re: AW: openldap and TLS certificates
Next by Date: Re: AW: Re: AW: openldap and TLS certificates
Index(es):
- Chronological
- Thread