[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: General Issues

<quote who="Glover George">
> Hello, and please bare with me for a second.  I'm have just
> finished reading the admin and quickstart guides on openldap.org
> and the

hi! im new too :) maybe i can offer my experience.

> openldap-howto.  I have succesfully set up the server but have no
> entries in it.  This is where my knowledge ends.  Am I correct in
> understanding that microsoft's Active Directory is built on LDAP?

don't know. i have banned win2000 servers at my company for
anything other then testing. no production servers are allowed
to have win2000 server.

> Also, this is my question.  I have been bombarded with the
> buzzwords, but really just need someone to explain to me the
> practical applications for ldap.  As far as I know I can use it
> with pam to centralize logins on my linux machines.  But can't I
> use it to centralize windows machine logins too?

Yes, i just started deploying pam_ldap and nss_ldap on 1
server(mail server) and have 4 people authenticating on it
sofar(plan to have another 20 over the next 3 days). The way
it works on this server, during the transitition from NIS to
LDAP people can use either their NIS or LDAP account to

As far as win32 users, i intend to setup a SAMBA server with
a new domain which authenticates against the LDAP server
and use that for my PDC for win32 users. I haven't started
on this project yet and don't expect to for another week.
There is 3rd party software which ties directly into
the LDAP server but i have not investigated cost or
if its reliable or not. run a search for LDAP and NT on
google and some stuff should come up.

I think the SAMBA approcah will be cleaner though, being
that it is an open system. Currently we use the PDC(NT4.0)
as a file server/PDC/print server etc. that system will
be demoted to a BDC on the new domain and just do file/print
sharing.(at least thats what im thinking about doing)

I also configured netscape roaming(after much pain) with
LDAP and it works for those at my company who want to
use it. As well as an address book with all the employees
in it, for autocompletion in email clients as well as
other things.

> Also, address
> books for windows (outlook), netscape, etc. aren't those able to be
> stored in ldap?


>Then the followup to this, how (and where) do I
> begin to add users to the ldap directory.  The openldap page just
> basically says how to get it set up and running which I've done,
> but not the practical methods for using it.  Could someone please
> enlighten me or point me in the right direction?  Thanks so much

yes, this is the kicker. getting the format of the
database. i don't understand why there arent some good
examples out there. most of my information came from
an LDIF-exported LDAP database from my former netscape LDAP

sample LDIF entry for a user:
dn: cn=Jorge Jetson, ou=People, o=myorg, c=us
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetLocalMailRecipient
jpegPhoto:< file:///home/aphro/filename.jpg
uid: jorgej
cn: Jorge Jetson
sn: Jetson
givenName: Jorge
title: Janitor
departmentNumber: Janitorial stuff
userPassword: {MD5}EoTlOhaKWtlVSFp8g7EN4A==
telephoneNumber: 000-000-0000x115
facsimileTelephoneNumber: 000-000-0000
mobile: 123-456-7890
labeledURI: http://jorge.jetson.com/
mail: jorge.jetson@jetson.com
mailRoutingAddress: jetson@mail.jetson.com
mailHost: mail.jetson.com
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/jorgej
gecos: Jorge Jetson
description: Janitor
l: Jorge's home city

you need the organizational unit(in this case, ou=People)
created BEFORE you try to add the entry. on debian systems
this is created by default, if its not on your system
you can create it by making an entry above the first

dn: ou=People, o=myorg,c=us
objectclass: top
objectclass: organizationalUnit
ou: People

you can get pre-made passwords by using the slappasswd
program. e.g. /usr/sbin/slappasswd -h {MD5} in my testing
at least for MD5 passwords its the only way to get
a working password. before i learned of this command
i tried using htpasswd (with MD5 enabled) to generate
a password and it did not work, and i tried coping
MD5 passwords from my /etc/shadow and that didn't work

Note that some of the entries(esp mail routing) will require
additional schema, in mail routing you'll need misc.schema
turned on(be sure to read and understand the warnings first
in that file). when i first started playing i just created
a big ldif file with all my entries and did a big ldapadd:

ldapadd -x -D "cn=admin,o=myorg,c=us" -W -f jetson.ldif -v

for a long time while i was making changes i would just
purge slapd and reinstall it via apt-get(i didn't know
how to delete or modify yet) and just re populated each
time(took about 10 seconds to reinstall ldap each time).

now that i have my main db populated with all the entries
i can think of at the moment i can easily modify them
using ldapexplorer(php app). sofar its the best editor i
have used.  There is directory administrator, but it has
one limitation sofar that i see - it only allows 1 email
address for mail routing. which is no good. even though
my DB has multiple entries and other ldap browsers show
them, directory administrator does not. im not using LDAP
for mail routing yet but am thinking about it for the

> advance.
> P.S. - Is there a consensus "good" GUI administratrion tool for
> this?

can't say ..but sofar the best ive come accross is
LDAP explorer. i'd like something that is server-side,
which ldap explorer offers. its not perfect, but its
straight forward and easy to use.

hope this helps i spent a good 25 hours on Openldap and
nss_ldap and pam_ldap in the past week so a lot of it is
fresh in my head :)