Hello list.
Thanks to archives of this ML, as well as source code from
Net::LDAP::Class::User::AD package, I'm able to create functional AD
user entries from Net::LDAP. However, I'm a bit curious about some
issues. I realise they are not strictly Net::LDAP issues, but as many
people here have strong experience in the domain, that seems a good
place to ask :)
First, unless there is dark magic behind, I imagine than just setting
unicodePwd attribute only creates an LDAP passord for the user, not a
kerberos principal as well. So, should users also run an external tool
(smbpasswd, for instance) to fully initialise their account ?
Second, I'm used with OpenLDAP to create simpleSecurityObject entries
with dedicated ACLs, so as to manage sensible attributes finely. Is it
possible with Windows AD to create a system user, with the only
abitility to perform password changes ?
Third, is there a recommended practice for organising user and group
entries in AD ? In OpenLDAP world, the standard practice is to have a
'user' and a 'group' branch, whereas AD setup I saw sofar had a more
subdivised organisation (one branch per group, for instance).
Thanks for your input.
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
