[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: NSS/PAM_LDAP Management

Em Mon, Apr 17, 2000 at 10:38:01AM -0400, Greg escreveu:
> Hello all,
> 	I am in the process of evaluating the usage of nss/pam_ldap for a
> 5-6 thousand user Linux network. I have everything working just peachy by
> using RedHat 6.2 and the stock OpenLDAP/nss/pam_ldap modules that come
> "stock".
> 	I have a couple of questions that I need to have a clear answer on
> before I commit to using this. I figured that this was the place to ask!
> ;)
> 1. How does one create new accounts? I.E. Is there a set of utilities that
>    provide the same functionality as "useradd" and "userdel" from the
>    command line? I've been using LDAPXplorer under PHP-3 to create
>    accounts, but that does not create home directories, figure out group
>    mappings and the like. How do you guys do it?

I created two shell scripts which add and remove an user from the directory.
They are still being improved, but work for me. Too bad they are still in
portuguese, I'm working on that, just not fast enough... Maybe they can
give you a start.
These shell scripts just add the user to the local database, get its
entry with grep and run migrate_passwd.pl on it to produce a LDIF output.
This output is then inserted with ldapadd. After this, the user gets deleted
(it's optional) from the local database, i.e., you can run it remotely. It's 
for sure not the best way to do it, but it helped me with my testing.

Regarding creating home directories, I believe you are exporting the /homes via NFS
or something like that.
Another option would be to use the pam_mkhomedir module. If the home directory
for the user doesn't exist, it will create it just as if adduser has been used.
It also works with autofs homes, since it will try to access the user's home dir
and, with that access, trigger autofs and the directory will be mounted.

I would be very interested in seeing your authentication setup. Are you using
SSL? I'm currently using openldap-1.2.9 with stunnel in both ends (client and
server) to provide SSL tunneling. I've even patched authconfig to support this
SSL setup. Have you tried openldap's SSL capabilities yet?

> 2. When I attempt to change a password from the command line now, I get
>    th following dialog. Any pointers would be helpful..
> [root@tori openldap]# passwd
> New UNIX password:
> Retype new UNIX password:
> Enter login(LDAP) password:
> New password:
> Re-enter new password:
> LDAP password information update failed: Insufficient access
> passwd: all authentication tokens updated successfully

I get this also, but it works (for me)...
It depends on the order of the entries in /etc/pam.d/passwd. If you put pam_ldap
first, then LDAP users will only get the LDAP sequence. But local users (non-ldap)
will fail this part, and only then will passwd prompt for the UNIX password. Things
go the other way around if you put pam_unix first and pam_ldap after in /etc/pam.d/passwd.

I'm thinking that if the admin has used, for example, authconfig to change the authentication
method do LDAP, then LDAP should be inserted first (with sufficient) and the other right
after it, so that root can change its password too (there shouldn't be a root user in the
LDAP database, I think. This is an issue with the migration scripts, they migrate every
user). Being LDAP first, most users wouldn't even see the UNIX password prompts, since they
will only get to this stage if they don't exist in the LDAP server.

> 3. Any performance issues to be concerned about with 5,000 entries?

I would like to know about that too...

Andreas Hasenack
BIG Linux user!