Re: We need centralized accounts -- Any docs for ldap passwords?
libpam-ldap will allow password change. The rest have to be done manually (or through some customized software. I am considering Ganymede.) Although there is a nice package pam-mkhomedir that will automatically create homedirs (and copy /etc/skel stuff) if it does not exist. Where can I find that script? It is a package in potato. I think we're going to go with ldap, so I'm going to have to figure out how we want to handle adding/deleting users, etc. I suppose I'll just whip up some scripts, but I wouldn't mind having a good one as a reference. Yea, I am in exactly the same situation as you are. And I am looking at a good way to administer the users etc. Unfortunately, I can't find a working solution (or one requiring minimal changes). What I gathered so far: - Ganymede: java based administration tool, keeps its own database, would require you to buid your own classes to upload to LDAP. I have not been able to make Ganymede work so far; - Webmin: perl based cgi scripts. LDAP stuff has to be done from scratch; - linuxconf has a ldapconf module. Very early in the development and so far mostly deals with configuring slaps instead of administering the users. Did not manage to test it (guess need more time to play with linuxconf) First I need to look in to ldap and see what the tools are for editing the database from the command line (if that's possible). Sure. There are utilities to do everithing (search, change, add, etc.) They are part of openldap-* packages. There is also very convenient gq (also in patato) which allows you to brows you directory and add/modified entries (though not suitable for real administration). Keep me informed of your findings. Sergey.
Re: We need centralized accounts -- Any docs for ldap passwords?
Hello, Have you looked into Freeside at http://www.sisd.com/freeside. Its is for ISP admin/billing and may provide what you want. John C. Ellingboe www.guntersville.net Sergey V Kovalyov wrote: libpam-ldap will allow password change. The rest have to be done manually (or through some customized software. I am considering Ganymede.) Although there is a nice package pam-mkhomedir that will automatically create homedirs (and copy /etc/skel stuff) if it does not exist. Where can I find that script? It is a package in potato. I think we're going to go with ldap, so I'm going to have to figure out how we want to handle adding/deleting users, etc. I suppose I'll just whip up some scripts, but I wouldn't mind having a good one as a reference. Yea, I am in exactly the same situation as you are. And I am looking at a good way to administer the users etc. Unfortunately, I can't find a working solution (or one requiring minimal changes). What I gathered so far: - Ganymede: java based administration tool, keeps its own database, would require you to buid your own classes to upload to LDAP. I have not been able to make Ganymede work so far; - Webmin: perl based cgi scripts. LDAP stuff has to be done from scratch; - linuxconf has a ldapconf module. Very early in the development and so far mostly deals with configuring slaps instead of administering the users. Did not manage to test it (guess need more time to play with linuxconf) First I need to look in to ldap and see what the tools are for editing the database from the command line (if that's possible). Sure. There are utilities to do everithing (search, change, add, etc.) They are part of openldap-* packages. There is also very convenient gq (also in patato) which allows you to brows you directory and add/modified entries (though not suitable for real administration). Keep me informed of your findings. Sergey. -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/nullbegin: vcard fn: John C. Ellingboe - KE4BPW n: Ellingboe - KE4BPW;John C. org:The Guntersville Computer Center email;internet: [EMAIL PROTECTED] title: Owner/Admin x-mozilla-cpt: ;0 x-mozilla-html: FALSE version:2.1 end:vcard
Re: We need centralized accounts -- Any docs for ldap passwords?
Sergey V Kovalyov [EMAIL PROTECTED] writes: libpam-ldap will allow password change. The rest have to be done manually (or through some customized software. I am considering Ganymede.) Although there is a nice package pam-mkhomedir that will automatically create homedirs (and copy /etc/skel stuff) if it does not exist. Where can I find that script? I think we're going to go with ldap, so I'm going to have to figure out how we want to handle adding/deleting users, etc. I suppose I'll just whip up some scripts, but I wouldn't mind having a good one as a reference. First I need to look in to ldap and see what the tools are for editing the database from the command line (if that's possible). Thanks -- Rob Browning [EMAIL PROTECTED] PGP=E80E0D04F521A094 532B97F5D64E3930
Re: We need centralized accounts -- Any docs for ldap passwords?
On 31 May 1999, Rob Browning wrote: OK, so it sounds like we just need shadow/passwd/group support, and as far as I can tell we should be mostly good to go if we 1) firewall access to the ldap server from outside our subnet. 2) import etc/group and passwd via migrate_foo.pl 3) edit our nssswitch.conf as directed in /usr/doc/libnss-ldap/README 4) cross our fingers. Well, it seems to work well for me (though so far only on a test machine). What I don't really know is how doing this interacts with the normal mechanisms. I would presume that we can just use LDAP for user accounts, and leave the system accounts in /etc/passwd, etc. That's a logical thing to do. You might also want to set mail-clients use this ldap for mail address searching. I'm guessing from the nsswitch entry it'll just fall back to that if LDAP fails on a given lookup, but how does LDAP interact with adduser, userdel, addgroup, /usr/bin/passwd, etc. Does it update the right things, or do we have to do manual synchs? libpam-ldap will allow password change. The rest have to be done manually (or through some customized software. I am considering Ganymede.) Although there is a nice package pam-mkhomedir that will automatically create homedirs (and copy /etc/skel stuff) if it does not exist. If the latter, then it seems like it might be worth us considering not using LDAP at all, and just whipping up some ssh synch thingy for these bits... You'll sure have to weight various pro and cons of both approaches. Ldap will just allow more things to use it for. Sergey.
Re: We need centralized accounts -- Any docs for ldap passwords?
Ben Collins [EMAIL PROTECTED] writes: Documentation is a little lacking in this area. The main reason for putting things like fstab, etc, into ldap is for diskless clients and large network configurations (think centralizing). If you don't see an immediate need for it, chances are you wont benefit from it. Currently the most common use of ldap for name services are shadow/passwd/group, mail aliases (exim can compile with ldap support, as well as sendmail), and hosts information. OK, so it sounds like we just need shadow/passwd/group support, and as far as I can tell we should be mostly good to go if we 1) firewall access to the ldap server from outside our subnet. 2) import etc/group and passwd via migrate_foo.pl 3) edit our nssswitch.conf as directed in /usr/doc/libnss-ldap/README 4) cross our fingers. What I don't really know is how doing this interacts with the normal mechanisms. I would presume that we can just use LDAP for user accounts, and leave the system accounts in /etc/passwd, etc. I'm guessing from the nsswitch entry it'll just fall back to that if LDAP fails on a given lookup, but how does LDAP interact with adduser, userdel, addgroup, /usr/bin/passwd, etc. Does it update the right things, or do we have to do manual synchs? If the latter, then it seems like it might be worth us considering not using LDAP at all, and just whipping up some ssh synch thingy for these bits... Hope this clears some things up. It helps a lot. Thanks. -- Rob Browning [EMAIL PROTECTED] PGP=E80E0D04F521A094 532B97F5D64E3930
NDN: Re: We need centralized accounts -- Any docs for ldap passwords?
Sorry. Your message could not be delivered to: Jorge Araya (Mailbox or Conference is full.)
NDN(2): Re: We need centralized accounts -- Any docs for ldap passwords?
Sorry. Your message could not be delivered to: Jorge Araya (Mailbox or Conference is full.)
Re: We need centralized accounts -- Any docs for ldap passwords?
On Mon, May 24, 1999 at 02:19:25PM -0500, Rob Browning wrote: Sergey V Kovalyov [EMAIL PROTECTED] writes: When you install libnss-ldap, there is a short howto in /usr/doc/libnss-ldap I also suggest downloading conversion tools from www.padl.com, which will help populate the LDAP database OK. I'm back working on this, and I've gotten openldap etc. installed, and I've gotten the migration tools, read the HOWTO, and played with gq to see that I can actually see my database, and I'm about ready to try and cram my passwd/group stuff in there. However, from looking at the migration tools, it seems that they can translate a lot more than just passwd/group stuff like services, protocols, aliases, fstab, etc. So I'm a little curious now. I'd like to get a brief overview of the overall picture. Are people using ldap much for things like fstab? If so, how would that actually work, and how would it interact with other package upgrades? (I can see how accounts work via glibc2 and libpam-ldap/libnss-ldap.) Also, I'm wondering what, if any, the security concerns are relating to ldap access to passwd etc. Can someone give me a brief overview or point me at an appropriate doc? I haven't found one yet. Documentation is a little lacking in this area. The main reason for putting things like fstab, etc, into ldap is for diskless clients and large network configurations (think centralizing). If you don't see an immediate need for it, chances are you wont benefit from it. Currently the most common use of ldap for name services are shadow/passwd/group, mail aliases (exim can compile with ldap support, as well as sendmail), and hosts information. As far as security is concerned, right now OpenLDAP does not support SSL (work is being done on that, so RSN), so your transactions over a network are in the clear. Access by default to password information is limited to the owner of the entry (ie, I can see my encrypted password, but not yours or anyone elses) and the admin (setup on install of openldap). This is better than NIS in that you actually have to authenticate in order to gain access to the data (access is not based on priviledged ports, which is a downfall of NIS). Access to normal account info (name, uid, home directory) is available anonymously by default, but with proper access rules in slapd.conf you can force authentication in order to obtain access (so that I can authenticate and be able to see your info, but outside access wont be able to). Hope this clears some things up.
Re: We need centralized accounts -- Any docs for ldap passwords?
Sergey V Kovalyov [EMAIL PROTECTED] writes: When you install libnss-ldap, there is a short howto in /usr/doc/libnss-ldap I also suggest downloading conversion tools from www.padl.com, which will help populate the LDAP database OK. I'm back working on this, and I've gotten openldap etc. installed, and I've gotten the migration tools, read the HOWTO, and played with gq to see that I can actually see my database, and I'm about ready to try and cram my passwd/group stuff in there. However, from looking at the migration tools, it seems that they can translate a lot more than just passwd/group stuff like services, protocols, aliases, fstab, etc. So I'm a little curious now. I'd like to get a brief overview of the overall picture. Are people using ldap much for things like fstab? If so, how would that actually work, and how would it interact with other package upgrades? (I can see how accounts work via glibc2 and libpam-ldap/libnss-ldap.) Also, I'm wondering what, if any, the security concerns are relating to ldap access to passwd etc. Can someone give me a brief overview or point me at an appropriate doc? I haven't found one yet. Thanks -- Rob Browning [EMAIL PROTECTED] PGP=E80E0D04F521A094 532B97F5D64E3930
Re: We need centralized accounts -- Any docs for ldap passwords?
Jens B. Jorgensen [EMAIL PROTECTED] writes: But if you're not ready for potato then NIS will provide a ready-made solution. It's pretty straightforward. I'd be glad to offer assistance. As for a comparison, well, they're different. NIS has been around a long time, LDAP is newer. Thanks to both of you for the help. We're running all unstable here so getting the ldap packages isn't a problem, but I wasn't completely sure what the tradeoffs are. I'll go look at the web sites Ben mentioned. Actually I had already seen the ldap pacakges, but I wasn't quite sure where to start. I was hoping for a HOWTO or something, but I can always just jump in and figure it out as I poke around. -- Rob Browning [EMAIL PROTECTED] PGP=E80E0D04F521A094 532B97F5D64E3930
Re: We need centralized accounts -- Any docs for ldap passwords?
On 13 May 1999, Rob Browning wrote: Jens B. Jorgensen [EMAIL PROTECTED] writes: But if you're not ready for potato then NIS will provide a ready-made solution. It's pretty straightforward. I'd be glad to offer assistance. As for a comparison, well, they're different. NIS has been around a long time, LDAP is newer. Thanks to both of you for the help. We're running all unstable here so getting the ldap packages isn't a problem, but I wasn't completely sure what the tradeoffs are. I'll go look at the web sites Ben mentioned. Actually I had already seen the ldap pacakges, but I wasn't quite sure where to start. I was hoping for a HOWTO or something, but I can always just jump in and figure it out as I poke around. When you install libnss-ldap, there is a short howto in /usr/doc/libnss-ldap I also suggest downloading conversion tools from www.padl.com, which will help populate the LDAP database Sergey.
We need centralized accounts -- Any docs for ldap passwords?
We've got a number of machines here that we need to switch to centralized account maintenance, and I was trying to figure out what the best solution would be. It looks like the two main solutions would be NIS or ldap (via PAM), but I'm having a hard time finding out enough about the ldap solution to do a good comparison. Is there a good HOWTO or similar somewhere? Is there some other solution I've overlooked. (I thought about just using a cron job and a sync script to keep all the passwd/group files in sync, but that requires you to be able to atomically update the files, and I couldn't see a good way to do that...perhaps some trick with chpasswd/add/deluser... Thanks -- Rob Browning [EMAIL PROTECTED] PGP=E80E0D04F521A094 532B97F5D64E3930
Re: We need centralized accounts -- Any docs for ldap passwords?
On Tue, May 11, 1999 at 07:59:56PM -0500, Rob Browning wrote: We've got a number of machines here that we need to switch to centralized account maintenance, and I was trying to figure out what the best solution would be. It looks like the two main solutions would be NIS or ldap (via PAM), but I'm having a hard time finding out enough about the ldap solution to do a good comparison. Is there a good HOWTO or similar somewhere? Is there some other solution I've overlooked. (I thought about just using a cron job and a sync script to keep all the passwd/group files in sync, but that requires you to be able to atomically update the files, and I couldn't see a good way to do that...perhaps some trick with chpasswd/add/deluser... Our good admin is already in the midst of setting up an LDAP based account system. For info on what is being used for this please see www.openldap.com and www.padl.com for the OpenLDAP and nss_ldap/pam_ldap (all three of which are packaged in potato) programs. -- --- - - --- - - - --- Ben Collins [EMAIL PROTECTED]Debian GNU/Linux OpenLDAP Dev - [EMAIL PROTECTED] The Choice of the GNU Generation -- -- - - - --- --- -- - - --- - --
Re: We need centralized accounts -- Any docs for ldap passwords?
But if you're not ready for potato then NIS will provide a ready-made solution. It's pretty straightforward. I'd be glad to offer assistance. As for a comparison, well, they're different. NIS has been around a long time, LDAP is newer. Ben Collins wrote: On Tue, May 11, 1999 at 07:59:56PM -0500, Rob Browning wrote: We've got a number of machines here that we need to switch to centralized account maintenance, and I was trying to figure out what the best solution would be. It looks like the two main solutions would be NIS or ldap (via PAM), but I'm having a hard time finding out enough about the ldap solution to do a good comparison. Is there a good HOWTO or similar somewhere? Is there some other solution I've overlooked. (I thought about just using a cron job and a sync script to keep all the passwd/group files in sync, but that requires you to be able to atomically update the files, and I couldn't see a good way to do that...perhaps some trick with chpasswd/add/deluser... Our good admin is already in the midst of setting up an LDAP based account system. For info on what is being used for this please see www.openldap.com and www.padl.com for the OpenLDAP and nss_ldap/pam_ldap (all three of which are packaged in potato) programs. -- --- - - --- - - - --- Ben Collins [EMAIL PROTECTED]Debian GNU/Linux OpenLDAP Dev - [EMAIL PROTECTED] The Choice of the GNU Generation -- -- - - - --- --- -- - - --- - -- -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] /dev/null -- Jens B. Jorgensen [EMAIL PROTECTED]