[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP




On Mon, May 15, 2000 at 06:47:19PM -0500, Cloudmaster wrote:
> 
> So, since I guess someone talked about LDAP stuff at a meeting once, I'm
> sure everyone knows where I can find out what the heck I need to to to
> maintain an LDAP-based system database system, right?

I wonder who that was.  :-)

> I'd like to know if anyone has a decent link to setting up and *maintaining*
> LDAP authentication and hosts/groups/protocols/services/aliases/etc. 

A good place to start:

http://www.rage.net/ldap

It's a bit out of date, but it does have some good hints and an
excellent link page.  Also, www.openldap.org is a good place.

I don't have the URL handy (it's on rage's link page), but the LDAP
Roadmap is another good place to look.

> I've
> managed to get NSS-LDAP and PAM-LDAP working (those sure are LOUD acronyms,
> eh?), but I can't find a darned thing that explains in reasonable terms how
> I can add new users or modify services.  Using some of the LDAP tools like
> kldap or what have you I can modify stuff, but nothing else.

The basic idea is as follows:

LDAP sets up, at a minimum, a hierarchy of entries, each of which has
attributes with one or more values.  The "objectClass" attribute lists
the "schemas", or standard groups of attributes the entry has.

One of the links off rage is a set of schemas for standard POSIX
objects, such as groups, users, services, protocols, etc.  Those
should give you a guide as to what attributes you need to give a
particular entry.  The schemas are an RFC, also, so you might be able
to find them on an RFC repository.

Off the top of my head, these are the attributes for a POSIX user.  I
could be missing something; check the reference above.

objectClass: posixAccount
uid: <username>
uidNumber: <user ID>
gidNumber: <group ID>
homeDirectory: <home directory path>
loginShell: <login shell>
userPassword: <password; see below>

> For example, I want users to be able to change their password.  Does using
> NSS-LDAP make normal "passwd" work? 

Don't know; never tried it.

> For NIS-based stuff doesn't yppasswd
> need to be used, so then wouldn't there be an ldappasswd or something like
> that needed for LDAP auths?  That's my big question... 

You guessed it pretty good.  The openldap utilities contain a
"ldappasswd" utility.  It's not quite as easy to use as the regular
passwd, though; you may want to write a wrapper script that provides
exactly what you want.

> I also would like to
> figure out how to add users, or how to generate those ldif files or whatever
> they're called so I can stick a whole batch of users in at once...

LDIFs are very simple; they're just a set of attribute-value pairs,
one per line, separated by a colon, with blank lines separating
entries.  Start with the "dn" attribute, which is the distinguished
name.  Then do something like this:

dn: cn=cloudmaster, ou=People, dc=cloudmaster, dc=com
cn: cloudmaster
uid: cloudmaster
objectClass: top
objectClass: person
objectClass: organizationalPerson
[...]

dn: cn=otherguy, ou=People, dc=cloudmaster, dc=com
cn: otherguy
[...]

Do as many as you want.

> So, anyway, since everyone else managed to make it to the ,eeting where this
> was undoutably discussed in great depth and thus, all of you are experts
> now, I'd appreciate it if you'd share your illumination with me - or at
> least an illuminating link or 2. :)

Who, us? :-)

--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.