[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Questions about OpenLDAP for account authentication

On Friday 03 October 2008 14:11:26 Phill Edwards wrote:
> I have a linux server which provides a number of services such as
> samba, firewall, DNS, postfix, spam filtering etc to PCs on a small
> LAN. The client PCs on the LAN are Windows XP. I find it a pain when
> someone needs to change a password that you have to do it first on the
> PC, then make sure it's the same on the corresponding linux account
> and also for Samba. I thought I might use OpenLDAP so that there's
> only 1 password to change and was hoping I could use it to manage
> accounts. I've read a lot of HOWTOs but still have some questions.
> - Can I use an OpenLDAP frontend (eg JXplorer) and OpenLDAP to create
> new accounts on a linux machine, specify the group and have it create
> a new home dir etc (like when you run useradd)?

JXPlorer is a relatively generic LDAP frontend. I would probably set smbldap-
tools up correctly, and consider setting samba up as a domain controller (with 
accounts in LDAP). If done correctly, and you really need a GUI on Windows, 
"User manager for Domains" would work ...

smbldap-tools includes LDAP-enabled equivalents of {user,group}{add,mod,del}. 
I personally don't worry too much about creating the home directory at 
creation of the account in LDAP, as I use pam_mkhomedir to ensure that users 
get their home directory created wherever appropriate.

(The samba-specific aspects here are best discussed on a samba list).

> - Does openldap replace the need to have the accounts in /etc/passwd?

No, but nss_ldap (not part of OpenLDAP)  can read accounts from a directory 
server (including OpenLDAP), and present them to glibc as if they were in 

The combination of nss_ldap and a directory server does replace the need for 
local accounts.

However, while you can authentication users with nss_ldap (via pam_unix etc.), 
you may prefer to consider using pam_ldap (or even better, pam_krb5 with 
Kerberos also using the accounts in LDAP) instead.

> Once I've copied the existing linux accounts from /etc/passwd, should
> I delete them from /etc/passwd using userdel so that I don't have the
> account in two places?


> - I also want to use OpenLDAP to provide a common address book which
> will be used mainly by Outlook. I know that Outlook can query the LDAP
> address book, but can it also update it?

Not natively.

> It seems that there are lots
> of apps to query OpenLDAP but updating the entries is a little arcane.

Kmail and Evolution both work fine for me. If your OS has bad LDAP support ... 
well ...