Re: [Hampshire] Easy user management in LDAP
On Wednesday 28 October 2009 11:14:15 STuart Sears wrote: > Samuel Penn wrote: > >> What do you mean by a 'simple' user directory? > >> Which information would you like to store about users? > > > > By 'simple', I'm more referring to my expectation that nothing > > that I want to do is out of the ordinary and that I have no > > requirements beyond what anyone else would have in terms of > > managing users for access to typical services (mail, web, login > > etc). > > ooh I could get nitpicky there :) But I won't. > The fun with this is all about the fact that many apps use different > attributes for different bits of information. That's half the problem - I get the feeling that a good proportion of the differences are unneeded, and only there because nobody could agree on a standard. > > Last night, I got Apache and DokuWiki talking to LDAP, with > > DokuWiki using the ACLs based off LDAP groups. I also > > discovered that Konqueror can browse the LDAP server and > > edit objects, which is kind of useful. > > Sounds good. > Which schema did you choose? users as InetOrgPerson? person organizationalPerson inetOrgPerson posixAccount Chosen based on examples I found. I haven't thought about integrating with PAM yet - it's not a priority. Thanks for the tips on Samba/CUPS -- Be seeing you, http://www.glendale.org.uk Sam.Mail/IM (Jabber): s...@glendale.org.uk -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Easy user management in LDAP
Samuel Penn wrote: [...] > Several hosts, most of them virtual. If nothing else, there's also > the learning opportunity since it's something I'd like to know > how to do. I hear that. Been there and done it - do quite a lot of LDAP stuff these days as a result. > >>> However, I can't find any easy way of setting up and configuring >>> OpenLDAP as a simple user directory. Does anyone know of any >>> good tools that will allow this? >> What do you mean by a 'simple' user directory? >> Which information would you like to store about users? > > By 'simple', I'm more referring to my expectation that nothing > that I want to do is out of the ordinary and that I have no > requirements beyond what anyone else would have in terms of > managing users for access to typical services (mail, web, login > etc). ooh I could get nitpicky there :) But I won't. The fun with this is all about the fact that many apps use different attributes for different bits of information. > I've looked at LDAP before (to the extent of developing an > application around it), and I'm aware that it's very powerful and > flexible. However, I'd expect that my requirements are pretty > common and that there'd be some standard set of tools and > configurations for doing what I need. >> Just Authentication/Authorisation? (shadow/passwd/group)? > > Pretty much. Courier needs to be plugged into it as well, so > there may be need for an email address. > Last night, I got Apache and DokuWiki talking to LDAP, with > DokuWiki using the ACLs based off LDAP groups. I also > discovered that Konqueror can browse the LDAP server and > edit objects, which is kind of useful. Sounds good. Which schema did you choose? users as InetOrgPerson? for proper UNIX/PAM auth you'll probably want shadowAccount posixAccount posixGroup objectclasses as well. > I'll take a look at everybody's suggested tools as soon as a get > a chance. My next task however is probably integrating it with > Samba and CUPS. SMB: you'll need sambaSAMAccount for samba users in LDAP other than that the basics are documented here: http://aput.net/~jheiss/samba/ldap.shtml http://wiki.samba.org/index.php/Samba_&_LDAP CUPS: Create an ou=printers container under your main suffix Add the cups LDAP schema to your openLDAP server (nb I just found this, which didn't appear in web searches when I was trying to do this for real...) http://itsecureadmin.com/wiki/index.php/Printer_schema http://itsecureadmin.com/wiki/index.php/LDAP_Printing Regards, Stuart -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Easy user management in LDAP
> > I'll take a look at everybody's suggested tools as soon as a get > a chance. My next task however is probably integrating it with > Samba and CUPS. > > Sam. It's been years since I played with LDAP, but I did get it working with Samba amongst other things. I cannot remember if I ever got CUPS to work, or if it was even an option back then. One thing I did get working was a company-wide read-only address book. All the data was held in a PostgreSQL db, and LDAP was used as the medium to present this data to Outlook. Chris -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Easy user management in LDAP
On Tue, 27 Oct 2009 00:00:29 +, Stuart Sears wrote: > On 25/10/09 10:23, Samuel Penn wrote: >> >> Hi all, >> >> I'm in the process of building a new home server, and rather >> than go down the route of having each service (mail, IM, web etc) >> use it's own user directory was thinking of using OpenLDAP. > > Are these services running on multiple hosts, or on your new server? > If not, what do you see as the advantages of using a centralised > directory service like LDAP? Several hosts, most of them virtual. If nothing else, there's also the learning opportunity since it's something I'd like to know how to do. >> However, I can't find any easy way of setting up and configuring >> OpenLDAP as a simple user directory. Does anyone know of any >> good tools that will allow this? > > What do you mean by a 'simple' user directory? > Which information would you like to store about users? By 'simple', I'm more referring to my expectation that nothing that I want to do is out of the ordinary and that I have no requirements beyond what anyone else would have in terms of managing users for access to typical services (mail, web, login etc). I've looked at LDAP before (to the extent of developing an application around it), and I'm aware that it's very powerful and flexible. However, I'd expect that my requirements are pretty common and that there'd be some standard set of tools and configurations for doing what I need. > Just Authentication/Authorisation? (shadow/passwd/group)? Pretty much. Courier needs to be plugged into it as well, so there may be need for an email address. Last night, I got Apache and DokuWiki talking to LDAP, with DokuWiki using the ACLs based off LDAP groups. I also discovered that Konqueror can browse the LDAP server and edit objects, which is kind of useful. I'll take a look at everybody's suggested tools as soon as a get a chance. My next task however is probably integrating it with Samba and CUPS. Sam. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Easy user management in LDAP
On 25/10/09 16:38, Samuel Penn wrote: > On Sunday 25 October 2009 16:07:14 Adrian Bridgett wrote: >> I normally use phpldapadmin (or ldapvi for more global things). > Okay, I may have a look at that as well. >> TBH I think running LDAP at home is generally more hassle than it's >> worth. Okay, so I do run LDAP at home, but that's since I use it as a >> test bed for doing LDAP work. > Possibly. However, not using it is also a hassle. I've got > a jabber server, an IMAP and webmail server, several wiki's > (one internal, some external), subversion and CVS repositories > plus potentially an OpenId server. Oh, and samba and CUPS as > well. Well, CUPS can read/write LDAP if the schema and DIT are correct (although the documentation for this is still ropey as hell, it's easier than it looks :) ) > Even ignoring UNIX logins to desktops and servers, it would be > be nice to harmonize passwords across my main services. > Given that my old server is still running fine, I've got a > bit of time in which to play around with options to see whether > going down this route works. > I'm well aware that I may have been begging the question, and > that I should have asked "how can I easily manage users" > instead of deciding on OpenLDAP from the start, but OpenLDAP > is the only option I'm aware of that is commonly supported. With LDAP, the hardest part is going to be the initial design and DIT layout, really. To do that you need to sort out the attributes that different users (and applications) require and pick schema accordingly. Layout choices normally revolve around replication/partitioning (probably not an issue here) and access control requirements. With the multitude of applications/services you want to use with LDAP, it's always going to be complicated. Possibly even complex. You probably want SSL as well - particularly if you're doing auth against LDAP from external sources (but I'd assume you already have this for some of your services) I stand by my recommendation for the 389 directory server: http://directory.fedoraproject.org ...which has some nice graphical tools (unfortunately they require java, but do work (IIRC) with openjdk now) Regards, Stuart -- Stuart Sears RHCA etc. "It's today!" said Piglet. "My favourite day," said Pooh. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Easy user management in LDAP
On 27/10/09 00:00, Stuart Sears wrote: [...] note to self: read the whole thread first. :) Stuart -- Stuart Sears RHCA etc. "It's today!" said Piglet. "My favourite day," said Pooh. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Easy user management in LDAP
On 25/10/09 10:23, Samuel Penn wrote: > > Hi all, > > I'm in the process of building a new home server, and rather > than go down the route of having each service (mail, IM, web etc) > use it's own user directory was thinking of using OpenLDAP. Are these services running on multiple hosts, or on your new server? If not, what do you see as the advantages of using a centralised directory service like LDAP? > However, I can't find any easy way of setting up and configuring > OpenLDAP as a simple user directory. Does anyone know of any > good tools that will allow this? What do you mean by a 'simple' user directory? Which information would you like to store about users? Just Authentication/Authorisation? (shadow/passwd/group)? or other info too? (addressbooks, maildrop etc etc) > What I really want to be able to do, is simply do the equivalent > of "useradd fred ..." in OpenLDAP, without having to worry about > LDAP schemas and the like. I don't mind configuring the server > initially, but want the user management procedures themselves > (add/list/delete/edit) to be nice and simple. This "just"** needs scripting. python, perl (or even shell for that matter) can do these things to pretty much any standards-compliant LDAP directory server. > I'm on Gentoo, would prefer a command line interface but if it > is a GUI tool then KDE would be preferred. Not precisely on gentoo, but open source (and therefore perfectly feasible) http://www.freeipa.org Is actually kerberos/LDAP, but does provide nice commandline tools for managing users and services. If you just want an easy-to-use LDAP directory, then... http://directory.fedoraproject.org Stuart ** :) -- Stuart Sears RHCA etc. "It's today!" said Piglet. "My favourite day," said Pooh. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Easy user management in LDAP
Samuel Penn wrote: > On Sunday 25 October 2009 16:07:14 Adrian Bridgett wrote: > >> I normally use phpldapadmin (or ldapvi for more global things). >> > > Okay, I may have a look at that as well. > > >> TBH I think running LDAP at home is generally more hassle than it's >> worth. Okay, so I do run LDAP at home, but that's since I use it as a >> test bed for doing LDAP work. >> > > Possibly. However, not using it is also a hassle. I've got > a jabber server, an IMAP and webmail server, several wiki's > (one internal, some external), subversion and CVS repositories > plus potentially an OpenId server. Oh, and samba and CUPS as > well. > > Even ignoring UNIX logins to desktops and servers, it would be > be nice to harmonize passwords across my main services. > > Given that my old server is still running fine, I've got a > bit of time in which to play around with options to see whether > going down this route works. > > I'm well aware that I may have been begging the question, and > that I should have asked "how can I easily manage users" > instead of deciding on OpenLDAP from the start, but OpenLDAP > is the only option I'm aware of that is commonly supported. > > How about something like this https://gna.org/projects/smbldap-tools/ I use it with LAM (http://www.ldap-account-manager.org/) I setup our Samba server & OpenLDAP using this http://majen.net/smbldap/ It's no longer supported but might give you a few pointers that'll help Brian The views expressed here are my own and not necessarily the views of Portsmouth College -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Easy user management in LDAP
On Sun, 25 Oct 2009 16:43:16 +, adr...@smop.co.uk said: > Writing was also unsupported last I > checked. There are very, very few mail programs (MUAs) that support writing to LDAP, although most support reading. One that does support writing is Claws Mail, which might be worth looking at if you want to maintain an address book in LDAP. http://www.claws-mail.org/ -- Keith Edmunds +-+ |Tiger Computing Ltd| Helping businesses make the most of Linux | | "The Linux Specialists" | http://www.tiger-computing.co.uk | +-+ -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Easy user management in LDAP
On Sun, Oct 25, 2009 at 16:24:50 + (+), Chris Dennis wrote: > Is there anything else that will do a simple address book / contacts > list that Thunderbird clients can share? Google? Seems to be best way to do things these days. I've found Thunderbird's support for LDAP (secured by TLS in particular) to have been sorely lacking in the past. Writing was also unsupported last I checked. Adrian -- bitcube.co.uk - Linux infrastructure consultancy Puppet, Debian, Red Hat, Ubuntu, CentOS, ... -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Easy user management in LDAP
On Sunday 25 October 2009 16:07:14 Adrian Bridgett wrote: > I normally use phpldapadmin (or ldapvi for more global things). Okay, I may have a look at that as well. > TBH I think running LDAP at home is generally more hassle than it's > worth. Okay, so I do run LDAP at home, but that's since I use it as a > test bed for doing LDAP work. Possibly. However, not using it is also a hassle. I've got a jabber server, an IMAP and webmail server, several wiki's (one internal, some external), subversion and CVS repositories plus potentially an OpenId server. Oh, and samba and CUPS as well. Even ignoring UNIX logins to desktops and servers, it would be be nice to harmonize passwords across my main services. Given that my old server is still running fine, I've got a bit of time in which to play around with options to see whether going down this route works. I'm well aware that I may have been begging the question, and that I should have asked "how can I easily manage users" instead of deciding on OpenLDAP from the start, but OpenLDAP is the only option I'm aware of that is commonly supported. -- Be seeing you, http://www.glendale.org.uk Sam.Mail/IM (Jabber): s...@glendale.org.uk -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Easy user management in LDAP
Adrian Bridgett wrote: > On Sun, Oct 25, 2009 at 11:23:14 +0100 (+0100), Samuel Penn wrote: >> What I really want to be able to do, is simply do the equivalent >> of "useradd fred ..." in OpenLDAP, without having to worry about >> LDAP schemas and the like. I don't mind configuring the server >> initially, but want the user management procedures themselves >> (add/list/delete/edit) to be nice and simple. > > I normally use phpldapadmin (or ldapvi for more global things). > > TBH I think running LDAP at home is generally more hassle than it's > worth. Okay, so I do run LDAP at home, but that's since I use it as a > test bed for doing LDAP work. > > Adrian I've found 'hassle' to be an understatement when it comes to LDAP. Is there anything else that will do a simple address book / contacts list that Thunderbird clients can share? cheers Chris -- Chris Dennis cgden...@btinternet.com Fordingbridge, Hampshire, UK -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Easy user management in LDAP
On Sun, Oct 25, 2009 at 11:23:14 +0100 (+0100), Samuel Penn wrote: > What I really want to be able to do, is simply do the equivalent > of "useradd fred ..." in OpenLDAP, without having to worry about > LDAP schemas and the like. I don't mind configuring the server > initially, but want the user management procedures themselves > (add/list/delete/edit) to be nice and simple. I normally use phpldapadmin (or ldapvi for more global things). TBH I think running LDAP at home is generally more hassle than it's worth. Okay, so I do run LDAP at home, but that's since I use it as a test bed for doing LDAP work. Adrian -- bitcube.co.uk - Linux infrastructure consultancy Puppet, Debian, Red Hat, Ubuntu, CentOS, ... -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Easy user management in LDAP
On Sunday 25 October 2009 10:33:06 Hugo Mills wrote: > On Sun, Oct 25, 2009 at 11:23:14AM +0100, Samuel Penn wrote: > > However, I can't find any easy way of setting up and configuring > > OpenLDAP as a simple user directory. Does anyone know of any > > good tools that will allow this? >There's a package called "cpu" (available in Debian) that I've used > in the past for doing basic user/group administration on the command > line. I also put together a couple of scripts for changing passwords > (for users, and the sysadmin). Thanks Hugo. I've found http://cpu.sourceforge.net/ so will try downloading it from there and give it a go. -- Be seeing you, http://www.glendale.org.uk Sam.Mail/IM (Jabber): s...@glendale.org.uk -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Easy user management in LDAP
On Sun, Oct 25, 2009 at 11:23:14AM +0100, Samuel Penn wrote: > I'm in the process of building a new home server, and rather > than go down the route of having each service (mail, IM, web etc) > use it's own user directory was thinking of using OpenLDAP. > > However, I can't find any easy way of setting up and configuring > OpenLDAP as a simple user directory. Does anyone know of any > good tools that will allow this? > > What I really want to be able to do, is simply do the equivalent > of "useradd fred ..." in OpenLDAP, without having to worry about > LDAP schemas and the like. I don't mind configuring the server > initially, but want the user management procedures themselves > (add/list/delete/edit) to be nice and simple. > > I'm on Gentoo, would prefer a command line interface but if it > is a GUI tool then KDE would be preferred. There's a package called "cpu" (available in Debian) that I've used in the past for doing basic user/group administration on the command line. I also put together a couple of scripts for changing passwords (for users, and the sysadmin). Hugo. -- === Hugo Mills: h...@... carfax.org.uk | darksatanic.net | lug.org.uk === PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk --- Try everything once, except incest and folk-dancing. --- signature.asc Description: Digital signature -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --