Re: Centralized user management: what is best?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mauro Condarelli wrote: >>== >>Date: Sat, 14 Jan 2006 11:31:53 -0500 >>From: Jay Zach <[EMAIL PROTECTED]> >>To: debian-user@lists.debian.org >>Subject: Re: Centralized user management: what is best? >>== >> >>-BEGIN PGP SIGNED MESSAGE- >>Hash: SHA1 >> >>Mauro Condarelli wrote: >> >>>Hi, >>>I have a small (<8 hosts) lan with mixed Linux (debian) and > > >>I started small, just getting the LDAP database working. I then >>went on to >>figure out how to use PAM, nsswitch, et al, to auth my linux >>workstations to ldap. >> >>Finally I got my Samba server working as a Windows domain, and >>using LDAP. It >>was a long road, but worth it, and I now have much more knowledge >>of the subject. >> >>Contact me if you want my pertinent config files. > > Thanks. > Advise would be welcome. > Either in the form of Your current config files or, better, in the > form of a "roadmap", so I can avoid false starts and remain on track. > The sheer size of the pertinent manuals/howtos is discouraging. > > >>Good Luck :) > > I Know I'll need that! :) :) :) > > TiA > Mauro > I pretty much already outlined my 'roadmap' as I would recommend it :) 1. Get LDAP directory implemented a) add a few people to it as test b) use it as an address book first ( I think this is easiest), get email clients to query it for addresses c) learn what you need to do to add a few user accounts to it, and do that (I recommend phpldap for this - I used the custom version in egroupware, mostly) 2. Get Linux to authenticate to the LDAP directory. a) I had a lot of trouble with this, be careful because it's easy to lock yourself out of your computer - have a knoppix handy b) this is done mostly with PAM, Nsswitch, pam_ldap, and probably others. It's hard to remember it exactly, b/c once I got it, it just worked, and all I've done since is copy those files from /etc/ to my other workstations 3. Get Samba working using LDAP directory as it's database, and get Windows Domain working. a) I think I had the most trouble with this one, mainly because I kept going at it too soon I think. Once I got it, it just went b) I think part of my troubles were that the smbldap package was key to getting this to work, and I couldn't get it to run, because of perl package dependencies. For some reason a perl module it needed to run wasn't a requirement of the smbldap package, so whenever I'd try to run smbldap-useradd, for example, I'd get a big long perl error. Finally, after studying the error for long enough, I figured out what perl module it needed, and installed the debian package for it. After that, things went smooth. I'm still working through a couple little niggly issues, but for the most part that did it. - -- - Chicken Soup: An ancient miracle drug containing equal parts of aureomycin, cocaine, interferon, and TLC. The only ailment chicken soup can't cure is neurotic dependence on one's mother. -- Arthur Naiman, "Every Goy's Guide to Yiddish" Monday Jan 16, 2006 - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ8vDg63rZxntQpytAQLTZwgAoTJsrMyj2mbPW//eD/iDahThvRGiUu/+ W4jxORozivDOKKMw6tmgysPRTQO7QxUyQWckBI6uMudD3h+T6WjeY8aG+t3GMQlA uzXJiHmosZZf6ZfgX/d24qI+Dx9Lnkndlg9p+GMZyZvftatOW7BvW5Gf5oykiLSR lVVg3GGt6bbmV/Dk5rUm++flFYUYybrv2ZVqZWIBSh4F+pJnsacV3y6nFilGzmH6 mZ0q9ZUqg4ERMfTFa4as0lb2pyrtuxGIudlh7M3DLHOJKDcxRFAFGqHMizbn2Wsg iUL17uLzCqEQb3WxlIV9KfDqc8U2zA1DtCKYHOqfMCTWxRaYgNMcQw== =GL4S -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Centralized user management: what is best?
I think there should be a debian package/packages solving this problem automagically for those who do not want to go through all the reading themselves. It should contain something like this: openldap, samba, kerberos, nsswitch, pam-ldap with all the needed configuration and simple wizards, allowing to choose options.
Re: Centralized user management: what is best?
On (14/01/06 17:31), Jay Zach wrote: > I'll throw some links in from where I've emailed them to myself in the > past for future reference. I don't have time right now to go through > them all to see what were the most useful (and I truthfully don't > remember -- this whole process involved a bunch of small 'eureka > moments', and I didn't do a good job documenting them), so I'll just > throw them out there, along with some of my bookmarks... > > http://www.linux.com/article.pl?sid=05/10/18/1732231 > > http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/LDAP-Implementation-HOWTO.html > > http://www.enterprisenetworkingplanet.com/netsecur/article.php/3514511 > > http://groups-beta.google.com/group/linux.samba/browse_thread/thread/353078cfd35f7f41/217a96e9e79cd0b7?q=openldap+backup&rnum=3&hl=en#217a96e9e79cd0b7 > > http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html > > http://www.linuxjournal.com/article/8374 > > http://www.fatofthelan.com/articles/articles.php?pid=24 > > http://searchopensource.techtarget.com/tip/1,289483,sid39_gci1152805,00.html > > http://www.metaconsultancy.com/whitepapers/ldap-linux.htm > > http://www.imaginator.com/~simon/ldap/ > > http://tldp.org/HOWTO/User-Authentication-HOWTO/index.html > > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html > > http://bbm/phpldapadmin/ > > http://www.linuxjournal.com/article/8119 Thanks Jay Much appreciated :) Regards Clive -- www.clivemenzies.co.uk ... ...strategies for business -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Centralized user management: what is best?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Clive Menzies wrote: > On (14/01/06 11:31), Jay Zach wrote: > >>-BEGIN PGP SIGNED MESSAGE- >>Hash: SHA1 >> >>Mauro Condarelli wrote: >> >>>Hi, >>>I have a small (<8 hosts) lan with mixed Linux (debian) and winXP hosts. >>>Up to now I managed the debian hosts manually (copying /etc/passwd, >>>/erc/groups, ..., manually), but that is a real pain. >>>I did recently suffer a severe breakdown so I reinstalled most of the >>>machines. >>>At this point I would like to setup some centralized way to manage the whole >>>network. >>>I would like to manage: >>>- users (<20) >>>- file servers (2) >>>- printers (3) >>>- firewall (ADSL, fixed IP, currently managed with shorewall/webmin) >>>- mail (currently on a separate host, but I plan to move it to the firewall) >>> >>>In the past I used NIS, but that is UNIX-only. >>>I know there's OpenLDAP, but I never used it. >>>Probably some other package is available. >>> >>>Question is: >>>Given the needs, what is the "best" solution? >>>Should I bother at all? (the main reason I want to install some management >>>is that I began having a lot of permission problems when I moved hard disks >>>from one host to another; I know how to fix them, but I would like to avoid >>>re-doing all that next time...). >>>Can someone point me in the right direction? I would like to avoid false >>>starts. >>> >>> >>>Thanks in Advance >>>Mauro >>> >>> >> >>A year ago, I was in the same boat as you. I now have all my Linux >>machines >>authenticating to OpenLDAP database, and all my Windows machines >>authenticating >>to a Samba domain, which is using the same LDAP db as it's backend. It took >>a >>lot of work and a lot of how-to reading, but I finally made it ;) >> >>I started small, just getting the LDAP database working. I then went on to >>figure out how to use PAM, nsswitch, et al, to auth my linux workstations to >>ldap. >> >>Finally I got my Samba server working as a Windows domain, and using LDAP. It >>was a long road, but worth it, and I now have much more knowledge of the >>subject. >> >>Contact me if you want my pertinent config files. > > > I've also been pondering this for a while; have you got any particular > links you found useful howtos, etc.? > > Regards > > Clive > I'll throw some links in from where I've emailed them to myself in the past for future reference. I don't have time right now to go through them all to see what were the most useful (and I truthfully don't remember -- this whole process involved a bunch of small 'eureka moments', and I didn't do a good job documenting them), so I'll just throw them out there, along with some of my bookmarks... http://www.linux.com/article.pl?sid=05/10/18/1732231 http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/LDAP-Implementation-HOWTO.html http://www.enterprisenetworkingplanet.com/netsecur/article.php/3514511 http://groups-beta.google.com/group/linux.samba/browse_thread/thread/353078cfd35f7f41/217a96e9e79cd0b7?q=openldap+backup&rnum=3&hl=en#217a96e9e79cd0b7 http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html http://www.linuxjournal.com/article/8374 http://www.fatofthelan.com/articles/articles.php?pid=24 http://searchopensource.techtarget.com/tip/1,289483,sid39_gci1152805,00.html http://www.metaconsultancy.com/whitepapers/ldap-linux.htm http://www.imaginator.com/~simon/ldap/ http://tldp.org/HOWTO/User-Authentication-HOWTO/index.html http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html http://bbm/phpldapadmin/ http://www.linuxjournal.com/article/8119 - -- - A figure with curves always offers a lot of interesting angles. Saturday Jan 14, 2006 - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ8l7rq3rZxntQpytAQISuAf9EsVbwQ86V7+Jd/tV4aN3g2VsByA221y2 w6BTZxcfwuUZ7NeDCYffV4HKTdKPbcvsGLiNw3zvb0Bng+Lpymnsc9CWYnNDKP/S 5p89w25oPT4XM3nNXxwMapvNjveuLDK73Ai9hQaODRtaGG0shV+dolJZzSd3GqPt uQVlezJ78oW4q00eCyRFZLRvVpthlSfCQGoG43kH/ZAY61H19D4OfsDPAzW34iop cMICpWk5kXjZLpreJuwPqIv3K95jyF/b9oNOZwNBN/HwCHGM/iVlmnqfh835t3or tPzrangxSu/yzflBBOobzBONfXbhQcm0CDUyEQtr6HCVQyMNzTKwPg== =hgFO -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Centralized user management: what is best?
On (14/01/06 11:31), Jay Zach wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Mauro Condarelli wrote: > > Hi, > > I have a small (<8 hosts) lan with mixed Linux (debian) and winXP hosts. > > Up to now I managed the debian hosts manually (copying /etc/passwd, > > /erc/groups, ..., manually), but that is a real pain. > > I did recently suffer a severe breakdown so I reinstalled most of the > > machines. > > At this point I would like to setup some centralized way to manage the > > whole network. > > I would like to manage: > > - users (<20) > > - file servers (2) > > - printers (3) > > - firewall (ADSL, fixed IP, currently managed with shorewall/webmin) > > - mail (currently on a separate host, but I plan to move it to the firewall) > > > > In the past I used NIS, but that is UNIX-only. > > I know there's OpenLDAP, but I never used it. > > Probably some other package is available. > > > > Question is: > > Given the needs, what is the "best" solution? > > Should I bother at all? (the main reason I want to install some management > > is that I began having a lot of permission problems when I moved hard disks > > from one host to another; I know how to fix them, but I would like to avoid > > re-doing all that next time...). > > Can someone point me in the right direction? I would like to avoid false > > starts. > > > > > > Thanks in Advance > > Mauro > > > > > > A year ago, I was in the same boat as you. I now have all my Linux > machines > authenticating to OpenLDAP database, and all my Windows machines > authenticating > to a Samba domain, which is using the same LDAP db as it's backend. It took > a > lot of work and a lot of how-to reading, but I finally made it ;) > > I started small, just getting the LDAP database working. I then went on to > figure out how to use PAM, nsswitch, et al, to auth my linux workstations to > ldap. > > Finally I got my Samba server working as a Windows domain, and using LDAP. It > was a long road, but worth it, and I now have much more knowledge of the > subject. > > Contact me if you want my pertinent config files. I've also been pondering this for a while; have you got any particular links you found useful howtos, etc.? Regards Clive -- www.clivemenzies.co.uk ... ...strategies for business -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Centralized user management: what is best?
Mauro Condarelli wrote: Hi, I have a small (<8 hosts) lan with mixed Linux (debian) and winXP hosts. Up to now I managed the debian hosts manually (copying /etc/passwd, /erc/groups, ..., manually), but that is a real pain. I did recently suffer a severe breakdown so I reinstalled most of the machines. At this point I would like to setup some centralized way to manage the whole network. I would like to manage: - users (<20) - file servers (2) - printers (3) - firewall (ADSL, fixed IP, currently managed with shorewall/webmin) - mail (currently on a separate host, but I plan to move it to the firewall) In the past I used NIS, but that is UNIX-only. I know there's OpenLDAP, but I never used it. Probably some other package is available. Question is: Given the needs, what is the "best" solution? Should I bother at all? (the main reason I want to install some management is that I began having a lot of permission problems when I moved hard disks from one host to another; I know how to fix them, but I would like to avoid re-doing all that next time...). Can someone point me in the right direction? I would like to avoid false starts. Thanks in Advance Mauro I think the default answer for Unix is automounting, and I would be surprised if you are not aware of it since you did mention NIS. Is this also something that you consider as "UNIX-only?" (If so, why? My understanding is that it's at least nominally supported by Debian.) For the XP boxes, the standard solution seems to be a master bootable disk image on a server which is loaded over the network each time the machine boots. (Saves the standard periodic Windows reinstall cycle.) Debian can handle the loading and booting, but I don't know the details. Of course, both of these solutions together give the user the option of running either Debian or Windows on each machine on the network. (It's only temporary of course, until everyone on the network is weaned from 'Doze. :-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Centralized user management: what is best?
On 1/14/06, Jay Zach <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Mauro Condarelli wrote: > > Hi, > > I have a small (<8 hosts) lan with mixed Linux (debian) and winXP hosts. > > Up to now I managed the debian hosts manually (copying /etc/passwd, > > /erc/groups, ..., manually), but that is a real pain. > > I did recently suffer a severe breakdown so I reinstalled most of the > > machines. > > At this point I would like to setup some centralized way to manage the > > whole network. > > I would like to manage: > > - users (<20) > > - file servers (2) > > - printers (3) > > - firewall (ADSL, fixed IP, currently managed with shorewall/webmin) > > - mail (currently on a separate host, but I plan to move it to the firewall) > > > > In the past I used NIS, but that is UNIX-only. > > I know there's OpenLDAP, but I never used it. > > Probably some other package is available. > > > > Question is: > > Given the needs, what is the "best" solution? > > Should I bother at all? (the main reason I want to install some management > > is that I began having a lot of permission problems when I moved hard disks > > from one host to another; I know how to fix them, but I would like to avoid > > re-doing all that next time...). > > Can someone point me in the right direction? I would like to avoid false > > starts. > > > > > > Thanks in Advance > > Mauro > > > > > > A year ago, I was in the same boat as you. I now have all my Linux > machines > authenticating to OpenLDAP database, and all my Windows machines > authenticating > to a Samba domain, which is using the same LDAP db as it's backend. It took > a > lot of work and a lot of how-to reading, but I finally made it ;) > > I started small, just getting the LDAP database working. I then went on to > figure out how to use PAM, nsswitch, et al, to auth my linux workstations to > ldap. > > Finally I got my Samba server working as a Windows domain, and using LDAP. It > was a long road, but worth it, and I now have much more knowledge of the > subject. > > Contact me if you want my pertinent config files. Sounds like a great debian-administration.org article. :) > > Good Luck :) > - -- > - > > > Always leave room to add an explanation if it doesn't work out. > > Saturday Jan 14, 2006 > > - > > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iQEVAwUBQ8knea3rZxntQpytAQKz9ggAipnK/tEURCbQ084vWpmR+NXydR+0Nu+R > imETzIojoKfOQDzH6PqdbY3irePxwvgbHUWy+Pzxw2peBWpYbwe8QC/ClzWn/9n/ > qn9IN//MYHKhIKVUsfkNO7KFtubk8l6osQb/C2PAQjNOJrjFJ1a7QVm3pNluTlVj > vpxndt58KDQgwBVNZ2KVy/2BE9zU0dIDZAhDAHf8O73KfuV/6VHqnhGljcknUs6K > oek0Nc7GcTC46VUEc59n5zvtybbTNOJKfuOikdlHrFdN8pkdN/sbsz8knMKfSAHz > BYcO/Uewplmv5Uzd8mtGkAEQpAeawW//pC70L1FLVt787gg3JO+Dqw== > =Jvbe > -END PGP SIGNATURE- -- Cheers, Maxim Vexler (hq4ever). Do u GNU ?
Re: Centralized user management: what is best?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mauro Condarelli wrote: > Hi, > I have a small (<8 hosts) lan with mixed Linux (debian) and winXP hosts. > Up to now I managed the debian hosts manually (copying /etc/passwd, > /erc/groups, ..., manually), but that is a real pain. > I did recently suffer a severe breakdown so I reinstalled most of the > machines. > At this point I would like to setup some centralized way to manage the whole > network. > I would like to manage: > - users (<20) > - file servers (2) > - printers (3) > - firewall (ADSL, fixed IP, currently managed with shorewall/webmin) > - mail (currently on a separate host, but I plan to move it to the firewall) > > In the past I used NIS, but that is UNIX-only. > I know there's OpenLDAP, but I never used it. > Probably some other package is available. > > Question is: > Given the needs, what is the "best" solution? > Should I bother at all? (the main reason I want to install some management is > that I began having a lot of permission problems when I moved hard disks from > one host to another; I know how to fix them, but I would like to avoid > re-doing all that next time...). > Can someone point me in the right direction? I would like to avoid false > starts. > > > Thanks in Advance > Mauro > > A year ago, I was in the same boat as you. I now have all my Linux machines authenticating to OpenLDAP database, and all my Windows machines authenticating to a Samba domain, which is using the same LDAP db as it's backend. It took a lot of work and a lot of how-to reading, but I finally made it ;) I started small, just getting the LDAP database working. I then went on to figure out how to use PAM, nsswitch, et al, to auth my linux workstations to ldap. Finally I got my Samba server working as a Windows domain, and using LDAP. It was a long road, but worth it, and I now have much more knowledge of the subject. Contact me if you want my pertinent config files. Good Luck :) - -- - Always leave room to add an explanation if it doesn't work out. Saturday Jan 14, 2006 - -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQEVAwUBQ8knea3rZxntQpytAQKz9ggAipnK/tEURCbQ084vWpmR+NXydR+0Nu+R imETzIojoKfOQDzH6PqdbY3irePxwvgbHUWy+Pzxw2peBWpYbwe8QC/ClzWn/9n/ qn9IN//MYHKhIKVUsfkNO7KFtubk8l6osQb/C2PAQjNOJrjFJ1a7QVm3pNluTlVj vpxndt58KDQgwBVNZ2KVy/2BE9zU0dIDZAhDAHf8O73KfuV/6VHqnhGljcknUs6K oek0Nc7GcTC46VUEc59n5zvtybbTNOJKfuOikdlHrFdN8pkdN/sbsz8knMKfSAHz BYcO/Uewplmv5Uzd8mtGkAEQpAeawW//pC70L1FLVt787gg3JO+Dqw== =Jvbe -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Centralized user management: what is best?
Mauro Condarelli wrote: Hi, I have a small (<8 hosts) lan with mixed Linux (debian) and winXP hosts. Up to now I managed the debian hosts manually (copying /etc/passwd, /erc/groups, ..., manually), but that is a real pain. I did recently suffer a severe breakdown so I reinstalled most of the machines. At this point I would like to setup some centralized way to manage the whole network. I would like to manage: - users (<20) - file servers (2) - printers (3) - firewall (ADSL, fixed IP, currently managed with shorewall/webmin) - mail (currently on a separate host, but I plan to move it to the firewall) In the past I used NIS, but that is UNIX-only. I know there's OpenLDAP, but I never used it. Probably some other package is available. For a similar environment we use nis and samba (as domain controller) on a central file server. So all our user data is on one machine. It takes some effort to set up a 'good' samba domain, but it works. As far as I know there is a way to set it up to automatically use the same passwords for linux and Windows, but we have different passwords for linux/Winnt winxp. It's just one more step to set up a user. My approach would be to set up one of your file servers as nis and samba master and backup config, passwd etc. to the second file server. For our other linux boxes, we only keep package selection information. They are basically standard installations with almost no configuration except for IP, so they are quickly reinstalled, if anything goes wrong. (In fact, it takes less time to install Debian from scratch (from a local cache) than a complete virus scan takes on our XP-boxes :-) Johannes (NB: domain conroll doesn't work for winxp home - only professional.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Centralized user management: what is best?
Hi, I have a small (<8 hosts) lan with mixed Linux (debian) and winXP hosts. Up to now I managed the debian hosts manually (copying /etc/passwd, /erc/groups, ..., manually), but that is a real pain. I did recently suffer a severe breakdown so I reinstalled most of the machines. At this point I would like to setup some centralized way to manage the whole network. I would like to manage: - users (<20) - file servers (2) - printers (3) - firewall (ADSL, fixed IP, currently managed with shorewall/webmin) - mail (currently on a separate host, but I plan to move it to the firewall) In the past I used NIS, but that is UNIX-only. I know there's OpenLDAP, but I never used it. Probably some other package is available. Question is: Given the needs, what is the "best" solution? Should I bother at all? (the main reason I want to install some management is that I began having a lot of permission problems when I moved hard disks from one host to another; I know how to fix them, but I would like to avoid re-doing all that next time...). Can someone point me in the right direction? I would like to avoid false starts. Thanks in Advance Mauro -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: slightly-OT: centralized user management
On 7/29/05, Roberto C. Sanchez <[EMAIL PROTECTED]> wrote: > Greetings, > > I currently have a small home network (1 server, 1 workstation, 1 > laptop) with only two users. What I would like to do is to setup some > sort of centralized user authentication mechanism (NIS, LDAP, whatever) > with home directories mounted from the server. This is primarily since > I will be adding more machines and more users in the near future. > > I would like recommendations/experiences from the list on what is a good > approach and maybe some resources. The server already runs NFS, and I > have experience with a combined NIS/NFS setup for a computer lab I > formerly admined. > > One thing that is an absolute necessity is a sort of "roaming profile" > support similar to that which is available with certain Redmond-based > legacy operating systems. Specifically, logging into machine A will > cause a "copy" of my $HOME to be cached on the machine. Machine A is a > laptop and I unplug it from the network. I would like to be able to > login to the machine, make changes to my files/whatever and then have > them automagically sync up with the server next time machine A > reconnects to the network at home. This may obviate the need for NFS. > Additionally, it would be necessary for the login credentials to be > cached so that disconnected login would actually work. I am pretty sure > that this is possible, but I am not really sure what the best approach > is. Ideas and recommendations are welcome. > For all my permanently connected machines I use NIS for users and NFS for /home Simply doing that will propgate any user settings to any perma-connected machine that reads the same /home (assuming the same software is used, ex. if gnome 2.8 is used on one machine it will have issues with some of the things gnome 2.10 does with configurations) For my laptop I maintain local users, which is just me, and I use rsync in various methods to keep my files up to date. I treat my folders as if they were the equivalent to windows' offline, only no automagic syncronizing, because I don't want my entire /home on the laptop to be /home on the server (diskspace restrictions, other users that don't use the laptop, etc.) -- ~ Darryl ~ [EMAIL PROTECTED] http://smartssa.com / http://darrylclarke.com
Re: FW: slightly-OT: centralized user management
On Sat, Jul 30, 2005 at 11:10:04AM -0500, Jason Clinton wrote: > On Saturday 30 July 2005 10:59, Roberto C. Sanchez wrote: > > Cool. Would you consider posting it so I have a starting point? No > > sense reinventing the wheel :-) > > Unfortunately, the script is owned by my employer so I can't share it. But > all > I did was set up OpenLDAP, use the Official Samba HOWTO to configure the > Linux server. Then on each Linux work station I just copy the pam_mount > script there are modify /etc/nsswitch.conf and /etc/pam.d/xdm to support > LDAP. I put the pam_mount script in cron to run nightly to syncronize with > the Linux server. Then, the Linux desktops automatically mount the users data > from /var/lib/samba/profiles//My Documents > to /home//network_drive and unmount it when they log off. > > On Windows, you just join an NT4 style domain and then that's it. The Samba > server instructs it to do roaming profiles. The profiles are stored > in /var/lib/samba/profiles/ OK. Thanks for the info. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgpBiDw02COYQ.pgp Description: PGP signature
Re: FW: slightly-OT: centralized user management
On Saturday 30 July 2005 10:59, Roberto C. Sanchez wrote: > Cool. Would you consider posting it so I have a starting point? No > sense reinventing the wheel :-) Unfortunately, the script is owned by my employer so I can't share it. But all I did was set up OpenLDAP, use the Official Samba HOWTO to configure the Linux server. Then on each Linux work station I just copy the pam_mount script there are modify /etc/nsswitch.conf and /etc/pam.d/xdm to support LDAP. I put the pam_mount script in cron to run nightly to syncronize with the Linux server. Then, the Linux desktops automatically mount the users data from /var/lib/samba/profiles//My Documents to /home//network_drive and unmount it when they log off. On Windows, you just join an NT4 style domain and then that's it. The Samba server instructs it to do roaming profiles. The profiles are stored in /var/lib/samba/profiles/ -- I use digital signatures and encryption. My key is stored at pgp.mit.edu key ID code: "0x8DB3BF09". F: F628 D9D3 E57A C281 5EFE 7DF7 B52A A393 8DB3 BF09 pgpAltWOOE9Ra.pgp Description: PGP signature
Re: FW: slightly-OT: centralized user management
On Sat, Jul 30, 2005 at 10:58:22AM -0500, Jason Clinton wrote: > On Saturday 30 July 2005 09:15, Roberto C. Sanchez wrote: > > Right. I am looking for something more cross platform. At least to > > cover Windows and Linux and maybe Mac OS X. I am not familiar with > > Windows networking, so I don't know what all the correct terminology is. > > I just recall that at one place I worked everyone had laptops in docking > > stations. If you logged into the Windows domain at least once a > > particular machine, it would cache your login credentials and your > > Windows equivalent of $HOME. > > The answer to all your problems lies in using OpenLDAP and pam_mount. I wrote > a script that generates the .pam_mount.conf file in users home directories on > Linux and on Windows, Samba serves up a roaming profile. > > It's a lot of work, though. > Cool. Would you consider posting it so I have a starting point? No sense reinventing the wheel :-) -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgpRCc1MSETDf.pgp Description: PGP signature
Re: FW: slightly-OT: centralized user management
On Saturday 30 July 2005 09:15, Roberto C. Sanchez wrote: > Right. I am looking for something more cross platform. At least to > cover Windows and Linux and maybe Mac OS X. I am not familiar with > Windows networking, so I don't know what all the correct terminology is. > I just recall that at one place I worked everyone had laptops in docking > stations. If you logged into the Windows domain at least once a > particular machine, it would cache your login credentials and your > Windows equivalent of $HOME. The answer to all your problems lies in using OpenLDAP and pam_mount. I wrote a script that generates the .pam_mount.conf file in users home directories on Linux and on Windows, Samba serves up a roaming profile. It's a lot of work, though. -- I use digital signatures and encryption. My key is stored at pgp.mit.edu key ID code: "0x8DB3BF09". F: F628 D9D3 E57A C281 5EFE 7DF7 B52A A393 8DB3 BF09 pgpSkvYHKj4dI.pgp Description: PGP signature
Re: FW: slightly-OT: centralized user management
On Fri, Jul 29, 2005 at 08:57:12PM -0700, David Christensen wrote: > Roberto C. Sanchez wrote: > > But there was nothing about getting a "roaming profile" type of setup. > > Roaming Profiles and Offline Folders are different Windows features. You need > domain networking and Windows Server (2003, maybe 2k) to enable the former, > but > only Workgroup networking and a workstation Windows (XP Pro, XP Home?, Win2k?) > to do the later (also works with Domain networking). > Right. I am looking for something more cross platform. At least to cover Windows and Linux and maybe Mac OS X. I am not familiar with Windows networking, so I don't know what all the correct terminology is. I just recall that at one place I worked everyone had laptops in docking stations. If you logged into the Windows domain at least once a particular machine, it would cache your login credentials and your Windows equivalent of $HOME. > > I've heard of Unix implementations of the equivalent of Roaming Profiles (Sun? > HP?), and may have used such on an HP graphics terminal, but I never roamed. > There's probably an open-source equivalent out there. > I spent several hours searching Google last night and came up empty. The closest thing I found was a SourceForge project called huddleserver that was registered in mid 2002 and is still in Planning stage (or basically abandoned). I think that simply mounting $HOME from an NFS provides a fairly close approximation. The problem comes with offline support. > > The closed *nix thing to Offline Folders that I've heard of is rsync. CVS can > provide similar functionality, and is more robust/ careful in the face of > collisions. I've used Offline Folders and administered laptops with it, and I > don't like it. > Last night I was thinking that it's not to difficult to create a mount point (or even just use /home) where, when a user logs in under Linux, rsync is used to copy the $HOME contents from the server. After that, logging out would trigger an rsync back to the server. If the machine was offline, then the rsync would delay until the machine was back on the network. However, there are a couple of issues with this approach: - How would login credentials be stored/cached? I know that Windows NT/2k/XP do this, but I know Linux does not. It would require hacking together some sort of PAM module that con do this and be able to enforce the associated account policies as well. - User 1 logs in at machine A, which is offline, and makes changes in $HOME. He then logs in to machine B, which is online, and makes changes in $HOME. The changes from B will immediately be sync'd to the server, but the changes from A will not. When A is next on the network, the changed files in A will overwrite the more recent changes from B. A CVS-type approach may help here. This may also happens if the user logs into machine A (online) and then into machine B (online) and then makes different changes in both. The changes of whichever machine is logged out last will be the ones preserved while the others are lost. I think that is possible to solve the first problem with a PAM-based approach, as I mentioned. I think that the second approach could be solved by two things: - Disallow more than one login session on machines that are authenticating against the central authority (Samba/LDAP). - (Not foolproof) Check timestamps on modified files. If there are files on the server that have more recent timestamps than those on the local machine (i.e., changes from a previous login session were committed from a different machine), force the user to choose what to do. This would require some interactive console and/or X-based dialog to prompt the user about which files have been changed and what to do about them. > > My $0.02, > > David > I think I am approaching about $0.05 worth :-) -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgpnTqBOmViV6.pgp Description: PGP signature
FW: slightly-OT: centralized user management
Roberto C. Sanchez wrote: > But there was nothing about getting a "roaming profile" type of setup. Roaming Profiles and Offline Folders are different Windows features. You need domain networking and Windows Server (2003, maybe 2k) to enable the former, but only Workgroup networking and a workstation Windows (XP Pro, XP Home?, Win2k?) to do the later (also works with Domain networking). I've heard of Unix implementations of the equivalent of Roaming Profiles (Sun? HP?), and may have used such on an HP graphics terminal, but I never roamed. There's probably an open-source equivalent out there. The closed *nix thing to Offline Folders that I've heard of is rsync. CVS can provide similar functionality, and is more robust/ careful in the face of collisions. I've used Offline Folders and administered laptops with it, and I don't like it. My $0.02, David -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: slightly-OT: centralized user management
On Fri, Jul 29, 2005 at 09:57:17PM -0400, Hendrik Boom wrote: > > Two things come to mind, neither of which I've used (or used enough) > to judge their viability. > > (1) rsync > which I'm told is a way of keeping two file systems in sync with one another > I currently make heavy use of rsync. I am trying to get away from it and move to something more automated :-) > and if you'd like a revision control system, > > (2) monotone > which I've tried just enough to have trouble with it and still be > enthusiastic about its potential, even though it is still in active > development (current version is 0.21) and there may be compatibility > problems between versions. Its big plus is that it is totally > distributed. It can be used to maintain a database of variants of, > say, source files even though it has *no* central server. > It is specifically designed for the case that parts of a team of > developers may work in isolation, say, on detached laptops, using > their own copies of the repositor(y/ies), which are synchronised > when it happens to be convenient. > This might have some promise. I am personally a fan of CVS and Subversion for revision control, but Since I am trying to solve a different problem, this might work. Thanks for the pointer. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgp5EftkDt32g.pgp Description: PGP signature
Re: slightly-OT: centralized user management
On Sat, Jul 30, 2005 at 02:35:56AM +0100, Clive Menzies wrote: > > Not long after I started getting to grips with debian, I asked a similar > question and a guy call Todd Pytel sent me a lot of info and suggestions > for solutions (some of it off-list). You should be able to find the > thread by searching on the following: > > Date: Sun, 8 Jun 2003 21:44:05 -0500 > Subject: Re: NIS and Samba - can't authenticate Windows 98 clients > I found the thread and there is some good info. I suspected that LDAP would be a component of a good non-hacky solution. But there was nothing about getting a "roaming profile" type of setup. I frequently disconnect my laptop and take it places and I would like to avoid the manual syncing. I will likely setup something that also works with Windows and OS X, since I will likely be adding a Mac in the future and occasionally boot up to Windows for the odd game that runs too slowly in Qemu. > I'm happy to foward you the off-list stuff as well; I am ashamed to say > that some two years later I've not yet acted on it. Currently I'm using > samba mainly to avoid host based authentication of NFS but I too would > like to find a better solution with centralised authentication. > Please forward the off-list stuff as well. > The smbclient situation in linux is less than satisfactory but seems to > be a well kept secret. I tried xffm, smb4k and a few other network > browsers; reading files works OK but writing to the shares either > doesn't seem to be possible or erratic at best. > > Consequently, I mount all the samba shares on the debian workstations at > boot with fstab. But it would be good to find a (windows like) network > browser that is 100% reliable or alternatively find a different solution > with the same functionality. > I am thinking that automount would certainly make this easier, but not perfect. > Todd gave me a lot of info that I didn't understand fully; these are > the sort of networking issues that 'float his boat' ;) I really need to > re-read it with the benefit of two years debian/linux experience; it > will hopefully mean more to me now. > Somethings can only be truly appreciated with the benefit of experience :-) -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgpyzF8LgY1F8.pgp Description: PGP signature
Re: slightly-OT: centralized user management
On Fri, Jul 29, 2005 at 08:01:28PM -0400, Roberto C. Sanchez wrote: > Greetings, > > I currently have a small home network (1 server, 1 workstation, 1 > laptop) with only two users. What I would like to do is to setup some > sort of centralized user authentication mechanism (NIS, LDAP, whatever) > with home directories mounted from the server. This is primarily since > I will be adding more machines and more users in the near future. > > I would like recommendations/experiences from the list on what is a good > approach and maybe some resources. The server already runs NFS, and I > have experience with a combined NIS/NFS setup for a computer lab I > formerly admined. > > One thing that is an absolute necessity is a sort of "roaming profile" > support similar to that which is available with certain Redmond-based > legacy operating systems. Specifically, logging into machine A will > cause a "copy" of my $HOME to be cached on the machine. Machine A is a > laptop and I unplug it from the network. I would like to be able to > login to the machine, make changes to my files/whatever and then have > them automagically sync up with the server next time machine A > reconnects to the network at home. This may obviate the need for NFS. > Additionally, it would be necessary for the login credentials to be > cached so that disconnected login would actually work. I am pretty sure > that this is possible, but I am not really sure what the best approach > is. Ideas and recommendations are welcome. Two things come to mind, neither of which I've used (or used enough) to judge their viability. (1) rsync which I'm told is a way of keeping two file systems in sync with one another and if you'd like a revision control system, (2) monotone which I've tried just enough to have trouble with it and still be enthusiastic about its potential, even though it is still in active development (current version is 0.21) and there may be compatibility problems between versions. Its big plus is that it is totally distributed. It can be used to maintain a database of variants of, say, source files even though it has *no* central server. It is specifically designed for the case that parts of a team of developers may work in isolation, say, on detached laptops, using their own copies of the repositor(y/ies), which are synchronised when it happens to be convenient. -- hendrik -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: slightly-OT: centralized user management
On (29/07/05 20:01), Roberto C. Sanchez wrote: > I currently have a small home network (1 server, 1 workstation, 1 > laptop) with only two users. What I would like to do is to setup some > sort of centralized user authentication mechanism (NIS, LDAP, whatever) > with home directories mounted from the server. This is primarily since > I will be adding more machines and more users in the near future. > > I would like recommendations/experiences from the list on what is a good > approach and maybe some resources. The server already runs NFS, and I > have experience with a combined NIS/NFS setup for a computer lab I > formerly admined. > > One thing that is an absolute necessity is a sort of "roaming profile" > support similar to that which is available with certain Redmond-based > legacy operating systems. Specifically, logging into machine A will > cause a "copy" of my $HOME to be cached on the machine. Machine A is a > laptop and I unplug it from the network. I would like to be able to > login to the machine, make changes to my files/whatever and then have > them automagically sync up with the server next time machine A > reconnects to the network at home. This may obviate the need for NFS. > Additionally, it would be necessary for the login credentials to be > cached so that disconnected login would actually work. I am pretty sure > that this is possible, but I am not really sure what the best approach > is. Ideas and recommendations are welcome. Hi Roberto Not long after I started getting to grips with debian, I asked a similar question and a guy call Todd Pytel sent me a lot of info and suggestions for solutions (some of it off-list). You should be able to find the thread by searching on the following: Date: Sun, 8 Jun 2003 21:44:05 -0500 Subject: Re: NIS and Samba - can't authenticate Windows 98 clients I'm happy to foward you the off-list stuff as well; I am ashamed to say that some two years later I've not yet acted on it. Currently I'm using samba mainly to avoid host based authentication of NFS but I too would like to find a better solution with centralised authentication. The smbclient situation in linux is less than satisfactory but seems to be a well kept secret. I tried xffm, smb4k and a few other network browsers; reading files works OK but writing to the shares either doesn't seem to be possible or erratic at best. Consequently, I mount all the samba shares on the debian workstations at boot with fstab. But it would be good to find a (windows like) network browser that is 100% reliable or alternatively find a different solution with the same functionality. Todd gave me a lot of info that I didn't understand fully; these are the sort of networking issues that 'float his boat' ;) I really need to re-read it with the benefit of two years debian/linux experience; it will hopefully mean more to me now. HTH Clive -- www.clivemenzies.co.uk ... ...strategies for business -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
slightly-OT: centralized user management
Greetings, I currently have a small home network (1 server, 1 workstation, 1 laptop) with only two users. What I would like to do is to setup some sort of centralized user authentication mechanism (NIS, LDAP, whatever) with home directories mounted from the server. This is primarily since I will be adding more machines and more users in the near future. I would like recommendations/experiences from the list on what is a good approach and maybe some resources. The server already runs NFS, and I have experience with a combined NIS/NFS setup for a computer lab I formerly admined. One thing that is an absolute necessity is a sort of "roaming profile" support similar to that which is available with certain Redmond-based legacy operating systems. Specifically, logging into machine A will cause a "copy" of my $HOME to be cached on the machine. Machine A is a laptop and I unplug it from the network. I would like to be able to login to the machine, make changes to my files/whatever and then have them automagically sync up with the server next time machine A reconnects to the network at home. This may obviate the need for NFS. Additionally, it would be necessary for the login credentials to be cached so that disconnected login would actually work. I am pretty sure that this is possible, but I am not really sure what the best approach is. Ideas and recommendations are welcome. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr pgphDCP7Gx1aT.pgp Description: PGP signature
Re: user management
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Mar 08, 2004 at 07:22:23PM +0100, Nejc Novak wrote: > I am looking for a user managment tool. I need the following features: > - easy user adding and removing > - first default password option and reset option > - template/mail creation with username and password > - web or shell > > Does anyone of you know for sth like this? adduser and deluser? You already have them... - -- .''`. Paul Johnson <[EMAIL PROTECTED]> : :' : `. `'` proud Debian admin and user `- Debian. Because it *must* work. debian.org aboutdebian.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAT1PsUzgNqloQMwcRArEuAJwKk046gS96yBOBZd3f/hk73plFGgCaA5GK 5CULoG+v3QUhXn77m/Fxx8k= =x0Ey -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: user management
Check out Webmin, it may be what you're looking for. http://www.webmin.com/ -Original Message- From: Nejc Novak [mailto:[EMAIL PROTECTED] Sent: Monday, March 08, 2004 1:22 PM To: [EMAIL PROTECTED] Subject: user management Hi! I am looking for a user managment tool. I need the following features: - easy user adding and removing - first default password option and reset option - template/mail creation with username and password - web or shell Does anyone of you know for sth like this? Thanks.. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
user management
Hi! I am looking for a user managment tool. I need the following features: - easy user adding and removing - first default password option and reset option - template/mail creation with username and password - web or shell Does anyone of you know for sth like this? Thanks.. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: using LDAP as a configuration/user management backend
> "martin" == martin f krafft <[EMAIL PROTECTED]> writes: [...] >> only way I can think of to have seperate users is to set the 'mail >> only' accounts to have a shell of /dev/null. Or perhaps something >> else like /usr/local/bin/bash, and only make /usr/local/bin/bash >> available on those systems which you want these users to login >> to. the rest of the systems would have no such file. martin> this sounds like a very unflexible hack. i suppose i could martin> somehow tweak pam_ldap or an sql pam module to do this... Looking at my pam_ldap file, I see this option: # The distinguished name of the search base. base dc=uhoreg,dc=ca I haven't fiddled with it, but I assume that it would allow you to use a subtree of your LDAP directory. I suppose that other LDAP-based authentication modules would have similar options. [...] martin> Mainly because I want people who don't know what a shell is martin> (about 85% of the users) to have a simple web frontend for martin> configuration. And before I make modules for .forward and martin> modules for .spamassassin, i'd much rather just give them their martin> LDAP subtree for complete access. it scales better. Why not just use something like usermin-forward? (I don't know of a usermin module for spamassassin, though.) It's in unstable, and I assume it should be in testing by now, but I think it came out after Woody. I think that setting up a web-based front end would be easier than trying to coax various programs to read the LDAP tree. -- Hubert Chan <[EMAIL PROTECTED]> - http://www.uhoreg.ca/ PGP/GnuPG key: 1024D/124B61FA Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA Key available at wwwkeys.pgp.net. Encrypted e-mail preferred. msg06259/pgp0.pgp Description: PGP signature
Re: using LDAP as a configuration/user management backend
On Wed, 2002-10-09 at 01:49, martin f krafft wrote: > 1. Select three servers to be the LDAP servers, configure them all for >ldap-ssl (no clear-text here) and then hook them into >a master-slave configuration with two of them mirroring the primary >one. I'll use bind9 round-robin to do some fairly unadvanced >load-balancing between them, and should be able to deal with the >failure of one of the three servers fairly easily. For highest availability, you should have at least 1 and preferably 2 ldap servers per subnet. What is your network configuration? > 2. Move user management to the LDAP tree. Ideally, I want /etc/passwd >to contain no user but root and the various other defaults that >Debian installs. All users for all systems should be placed in >a global LDAP tree, with each user's record specifying what systems >s/he may log in to. Sure. This is easy with pam_ldap and libnss_ldap. > 3. Separate the mail users from the real users. About 70% of my users >never log in and simply use IMAPs or POP3s to retrieve their mail. >These should also live in the LDAP tree, but possibly under >a different subtree. I'd like to keep using postfix + courier to >handle all mail tasks. Is this possible, or should I start looking >into cyrus? Postfix works with ldap just fine. I use postfix/cyrus, but postfix does all the heavy lifting. It uses ldap lookups to determine how to route to an address, and just calls the appropriate mailer. It looks up with the key maillocaladdress, and uses the mailroutingaddress attribute: maillocaladdress: [EMAIL PROTECTED] mailroutingaddress: [EMAIL PROTECTED] Will deliver to cyrus user mailbox with the command "cyrdeliver -R dave" maillocaladdress: [EMAIL PROTECTED] mailroutingaddress: [EMAIL PROTECTED] Will deliver to a cyrus BB (shared mailbox) with "cyrdeliver -R -m Press" maillocaladdress: [EMAIL PROTECTED] mailroutingaddress: [EMAIL PROTECTED] Will deliver to our customer service application with the command "mailer.cserve --queue=generalsupport" The other half of that coin is IMAP authentication. Cyrus uses PAM, so if you have PAM working, cyrus will work. I assume that Courier will use PAM as well. If you're using PAM for your mail authentication, then all mail accounts have to have posix account attributes (i.e., they're all shell accounts). Technically, Cyrus actually uses a auth daemon called saslauthd. My saslauthd is configured to use PAM, but you could configure your saslauthd to use straight ldap if you wanted, in which case it could authenticate against any ldap entry that had a userpassword attribute, which would mean that you could create pure mail accounts that don't have any corresponding presence in posix-land. > 4. Put major user configuration items (like .forward, spamassassin) >into the LDAP tree. I am sure postfix can handle this particular one >somehow, and one can probably hack solutions up for other proggies. Now you're getting into an area where I haven't done much. We don't support .forward because Cyrus uses sieve, which does lots more than .forward (although not as much as procmail). For spamassassin, I use a custom proxy that adds a single header (x-spam-color: green|blue|yellow|orange|red), and the users' sieve files can filter on the color. This doesn't support per-user black/white lists, etc., but my users aren't sophisticated enough for anything more anyway. > 5. Put major system configuration (postfix, bind9, apt, etc.) into the >LDAP tree. Depending on which way you want to approach this, some of these things are probably not such a good idea. There are two broad ways of doing this. The first is to actually make the application speak ldap, and look up its configuration entries in the ldap tree instead of in its own configuration file. The second is to actually store the configuration file as a BLOB in the ldap tree, and have a program that extracts that and puts it into the program's native text config file. The problem with the first approach is that it can be a lot of work making the application speak ldap, and some programs just can't be configured with ldap. For example, apache config directives often need to be ordered (i.e., rewrite rules), and apache also supports things like conditional directives, but ldap is a non-ordered directory. The apache config just doesn't map to the ldap data model. The problem with the second approach is that you're adding complexity that you don't need to. Instead of keeping your config file in a simple text file in the filesystem, where you can edit it with any tool, manage it with CVS, etc., you're putting the file into the ldap database, which buys you very little. > I do have one question on LDAP: Can it be used as a relational &
Re: using LDAP as a configuration/user management backend
Hi , I got the acid main page but got problems - I created my database snortdb - Executed the installation script found in /usr/doc/snort-mysql/contrib/create_mysql - Installed Acid but when i select some links i have this Query execution error: Unknown column 'ip_src0' in 'field list' - I have a look in iphdr table and there is no 'ip_src0' field mysql> desc iphdr ; +--+--+--+-+-+---+ | Field| Type | Null | Key | Default | Extra | +--+--+--+-+-+---+ | sid | int(10) unsigned | | PRI | 0 | | | cid | int(10) unsigned | | PRI | 0 | | | ip_src | int(10) unsigned | | MUL | 0 | | | ip_dst | int(10) unsigned | | MUL | 0 | | | ip_ver | tinyint(3) unsigned | YES | | NULL| | | ip_hlen | tinyint(3) unsigned | YES | | NULL| | | ip_tos | tinyint(3) unsigned | YES | | NULL| | | ip_len | smallint(5) unsigned | YES | | NULL| | | ip_id| smallint(5) unsigned | YES | | NULL| | | ip_flags | tinyint(3) unsigned | YES | | NULL| | | ip_off | smallint(5) unsigned | YES | | NULL| | | ip_ttl | tinyint(3) unsigned | YES | | NULL| | | ip_proto | tinyint(3) unsigned | | | 0 | | | ip_csum | smallint(5) unsigned | YES | | NULL| | +--+--+--+-+-+---+ 14 rows in set (0.00 sec) How can i fix that ? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: using LDAP as a configuration/user management backend
also sprach nate <[EMAIL PROTECTED]> [2002.10.09.1105 +0200]: > be aware that openldap's "mirroring" is one-way master->slave not > slave->master. All updates are required to be performed on the > master. You can do the updates on the slave, but the commands are > just passed transparently to the master(cleartext) to be processed > on the master, then propogated back to the slave. this sounds fine, as long as there is an easy way to promote a slave to the master. i actually like this way of replication. > I would reccomend for best security to only authenticate off the > slave servers, and do not setup referrers on the slaves. That > way all of the data accessable by the servers is read only. Worst > case is the slave perhaps can get curroption but that won't affect > the master. this is an interesting idea that i will keep in mind. > > 2. Move user management to the LDAP tree. Ideally, I want /etc/passwd > > to contain no user but root and the various other defaults that Debian > > installs. All users for all systems should be placed in > > a global LDAP tree, with each user's record specifying what systems > > s/he may log in to. > > I've done this. infact I've gone farther by putting all the default > accounts in ldap too(Even though they aren't really used through ldap). i don't want that. i want all accounts that i add to be in LDAP and to have /etc/passwd be managed by Debian. Note that this applies to groups as well, naturally. > only way I can think of to have seperate users is to set the 'mail only' > accounts to have a shell of /dev/null. Or perhaps something else > like /usr/local/bin/bash, and only make /usr/local/bin/bash available on > those systems which you want these users to login to. the rest of the > systems would have no such file. this sounds like a very unflexible hack. i suppose i could somehow tweak pam_ldap or an sql pam module to do this... > postfix can handle it all, what you use for IMAP/POP3 is not important, > postfix will translate the LDAP account into a local user account, > the MDA need not know LDAP even exists. ... except that I actually would prefer to have mail-only users not have local accounts. all they need, after all, is an IMAP hierarchy. no need for a homedirectory. Then again, the homedirectory approach will be simpler... > > 4. Put major user configuration items (like .forward, spamassassin) > > into the LDAP tree. I am sure postfix can handle this particular one > > somehow, and one can probably hack solutions up for other proggies. > > This I have never tried, though possible, I don't really see any > advantage to doing it over using a distributed filesystem like AFS > which you mention your planning on using ? Mainly because I want people who don't know what a shell is (about 85% of the users) to have a simple web frontend for configuration. And before I make modules for .forward and modules for .spamassassin, i'd much rather just give them their LDAP subtree for complete access. it scales better. > > 5. Put major system configuration (postfix, bind9, apt, etc.) into the > > LDAP tree. > > haven't tried this either myself. I thought about doing DNS in > LDAP, I've read about it, but my DNS zone files are setup so nicely.. > so I haven't tried it. note that this is step 5. so maybe in five years i'll get to it ;^> > as for relational database, I am not certain what you mean, but say i have the following table of users with the systems that they may login to: 1 peter { time, gnome, piper, wall } 2 hans{ seamus, gnome, diamond } 3 anna{ mother, diamond, wall } and also a table of systems: 1 time 2 gnome 3 piper 4 wall 5 seamus 6 diamond 7 mother in a relational database, the users' table would then look like this: 1 peter { 1, 2, 3, 4 } 2 hans{ 5, 2, 6 } 3 anna{ 7, 6, 4 } which has the advantage that information is not duplicated; if i rename 'gnome' to 'albatros', then i only need to edit one entry. i am simply wondering if this can be done in ldap. > if your referring to host based authentication yes you can do this, > I have not updated my LDAP howto on how to do it but its easy: > > the LDAP entry needs to have an objectClass: account > > then create a 'host' entry. e.g. > > host: mail35.mydomain.com > > 1 host entry per host that user is allowed to login to. > > then in /etc/pam_ldap.conf set this: > pam_check_host_attr yes cool. this precisely addresses the problem of restricting specific users to specific hosts. > > Or would PostgreSQL be a better albeit not as performant choice in the > > first place? >
Re: using LDAP as a configuration/user management backend
martin f krafft said: > Hi there, > > This will probably be a lengthy discussion. I appreciate any helpful > comments. I also searched the lists and web but couldn't find good > information. maybe I can help :) > 1. Select three servers to be the LDAP servers, configure them all for > ldap-ssl (no clear-text here) and then hook them into > a master-slave configuration with two of them mirroring the primary > one. I'll use bind9 round-robin to do some fairly unadvanced > load-balancing between them, and should be able to deal with the > failure of one of the three servers fairly easily. be aware that openldap's "mirroring" is one-way master->slave not slave->master. All updates are required to be performed on the master. You can do the updates on the slave, but the commands are just passed transparently to the master(cleartext) to be processed on the master, then propogated back to the slave. I would reccomend for best security to only authenticate off the slave servers, and do not setup referrers on the slaves. That way all of the data accessable by the servers is read only. Worst case is the slave perhaps can get curroption but that won't affect the master. > > 2. Move user management to the LDAP tree. Ideally, I want /etc/passwd > to contain no user but root and the various other defaults that Debian > installs. All users for all systems should be placed in > a global LDAP tree, with each user's record specifying what systems > s/he may log in to. I've done this. infact I've gone farther by putting all the default accounts in ldap too(Even though they aren't really used through ldap). > 3. Separate the mail users from the real users. About 70% of my users > never log in and simply use IMAPs or POP3s to retrieve their mail. > These should also live in the LDAP tree, but possibly under > a different subtree. I'd like to keep using postfix + courier to handle > all mail tasks. Is this possible, or should I start looking into cyrus? only way I can think of to have seperate users is to set the 'mail only' accounts to have a shell of /dev/null. Or perhaps something else like /usr/local/bin/bash, and only make /usr/local/bin/bash available on those systems which you want these users to login to. the rest of the systems would have no such file. postfix can handle it all, what you use for IMAP/POP3 is not important, postfix will translate the LDAP account into a local user account, the MDA need not know LDAP even exists. > 4. Put major user configuration items (like .forward, spamassassin) > into the LDAP tree. I am sure postfix can handle this particular one > somehow, and one can probably hack solutions up for other proggies. This I have never tried, though possible, I don't really see any advantage to doing it over using a distributed filesystem like AFS which you mention your planning on using ? > > 5. Put major system configuration (postfix, bind9, apt, etc.) into the > LDAP tree. haven't tried this either myself. I thought about doing DNS in LDAP, I've read about it, but my DNS zone files are setup so nicely.. so I haven't tried it. > I do have one question on LDAP: Can it be used as a relational > database? For instance, I would like to have a list of systems that a > user may use for login stored for each user. Can I link the systems out > of a different subtree (that I use for system configuration in step 5), > or would I need to duplicate the information? as for relational database, I am not certain what you mean, but if your referring to host based authentication yes you can do this, I have not updated my LDAP howto on how to do it but its easy: the LDAP entry needs to have an objectClass: account then create a 'host' entry. e.g. host: mail35.mydomain.com 1 host entry per host that user is allowed to login to. then in /etc/pam_ldap.conf set this: pam_check_host_attr yes then in /etc/pam.d/* for the services you want to use LDAP with, you need to first configure it to use ldap, but instead of using 'sufficient' as I have in my LDAP howto, it needs to say required. You can test it using sufficient, e.g. set it in ssh, if you ssh in the message 'access denied for this host' should show up, but that won't actually be enforced until you set the pam entry to required, at which point it would disconnect you. I find this particularlly cool because you can disable su this way, if you don't plan to login to a server for a long time, edit the root ldap entry, and remove the hosts entries for that user for the hosts you don't plan to su on, and if you try to su, even if you have the right password it blocks you access(again, provided you set 'required' in /etc/pam.d/su). You can do the same for the console
using LDAP as a configuration/user management backend
Hi there, This will probably be a lengthy discussion. I appreciate any helpful comments. I also searched the lists and web but couldn't find good information. I operate 27 servers all over the world, all running Debian (without Debian, this wouldn't be possible). Now I would like to unify them by using LDAP as a configuration and user management backend, as well as AFS to share filesystems. I see this as a series of steps as follows. Basically, while I am good with the theory of all this, I have little to no practical experience, so I appreciate any comments. 1. Select three servers to be the LDAP servers, configure them all for ldap-ssl (no clear-text here) and then hook them into a master-slave configuration with two of them mirroring the primary one. I'll use bind9 round-robin to do some fairly unadvanced load-balancing between them, and should be able to deal with the failure of one of the three servers fairly easily. 2. Move user management to the LDAP tree. Ideally, I want /etc/passwd to contain no user but root and the various other defaults that Debian installs. All users for all systems should be placed in a global LDAP tree, with each user's record specifying what systems s/he may log in to. 3. Separate the mail users from the real users. About 70% of my users never log in and simply use IMAPs or POP3s to retrieve their mail. These should also live in the LDAP tree, but possibly under a different subtree. I'd like to keep using postfix + courier to handle all mail tasks. Is this possible, or should I start looking into cyrus? 4. Put major user configuration items (like .forward, spamassassin) into the LDAP tree. I am sure postfix can handle this particular one somehow, and one can probably hack solutions up for other proggies. 5. Put major system configuration (postfix, bind9, apt, etc.) into the LDAP tree. 6. Export /home from every system to every other system: all:/home/seamus -> seamus.madduck.net:/export/home all:/home/diamond -> diamond.madduck.net:/export/home all:/home/embryo -> embryo.madduck.net:/export/home etc... Once this is all done, I think the system will rock. I do have one question on LDAP: Can it be used as a relational database? For instance, I would like to have a list of systems that a user may use for login stored for each user. Can I link the systems out of a different subtree (that I use for system configuration in step 5), or would I need to duplicate the information? Or would PostgreSQL be a better albeit not as performant choice in the first place? -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck a friend is someone with whom you can dare to be yourself msg06122/pgp0.pgp Description: PGP signature
process/user management
hello, a bit newbie at this kind of stuff, but what would be some good resources to look at for resource managment for processes, as well as users? managing things like CPU time, quotas, and bandwidth. this, as well as info on securing boxes for mass shell usage. I know that's a lot, but any info would be great! thanks! -lev
Re: user management
Paul Miller writes: > >Is there a program that is similar to Novell's syscon program? Linux >really needs a good user management program (terminal-based) that can >quickly add/remove groups, set passwords/info fields, delete users, set >quotas, etc > >--- >Paul Miller <[EMAIL PROTECTED]>, finger for public PGP key Check out ftp://ftp.ecn.purdue.edu/pub/ACMAINT/ It is a user management program that was built by folks at Purdue University to handle the user base of thousands of students and machines! I know it has support for lots of different OS's. I have used it as an end user on a Sun machine and it is VERY powerful and does everthing you mentioned. I have not tried building it on a Linux box. If you get it working on a Linux box I think it has been added to the list of possible packages for Debian. Good luck, Brian Servis -- Mechanical Engineering [EMAIL PROTECTED] Purdue University http://www.ecn.purdue.edu/~servis -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
user management
Is there a program that is similar to Novell's syscon program? Linux really needs a good user management program (terminal-based) that can quickly add/remove groups, set passwords/info fields, delete users, set quotas, etc --- Paul Miller <[EMAIL PROTECTED]>, finger for public PGP key -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .