phpmyldap

Help Logs Database




	Page: 1 2 3 4 5 <CASP> hello mates <New0rder> hmm <New0rder> ok it is replicatating <New0rder> only one way <New0rder> ideas why it's just one way? <richm> New0rder: not sure, unless you have to do the magic enable updates mojo on the other side too. <richm> You definitely need to find someone with some Sun DS 5.2 experience, because it sure doesn't work like 5.1. <New0rder> damn <New0rder> yeah. this **s. <richm> Try the sunswforums - "Better Than Nothing(tm)" <kusznir> hello: I'm trying to get nss_ldap to work with AD. Currently ethereal reveals that nss_ldap is not using its mappings in its /etc/ldap.conf file (by that, its searching for uid, loginShell, etc instead of msSFU30Uid, msSFU30LoginShell, etc). <kusznir> I'm using it on RHEL3 with nss_ldap-207-2 (distributed with RHEL3). <kusznir> It is reading the config file, as its using the binddn and pword I specified in the same file. <kusznir> I've gotten a gentoo system with the same config working without issue. <kusznir> Any suggestions? <ThomsonC3_> hi <ThomsonC3_> could anyone help me out with a couple of ldap questions? <ThomsonC3_> im setting up a new server and planning to put ldap on it for authentication <Gagatan> ThomsonC3_: read topic.. don't ask to ask.. go ahead and ask, and wait.. people tend to lurk <ThomsonC3_> cool <ThomsonC3_> ok, im having a problem understanding the process i go through for using ldap as the sole method of authentication <ThomsonC3_> i have it all up and running so its mor ethe theory than the technical side im trying to understand <ThomsonC3_> the way i have been doing it is using the migrate script to take info from the pwd file and put it in ldap <ThomsonC3_> but it seems a hle to have these two seperate storage locations of user details <Gagatan> how so? <ThomsonC3_> can i just use ldap only and delete my pwd, shadow and group files from /etc? <ThomsonC3_> and if i add a user into ldap do i always have to create the home dir manually? <Gagatan> uhm.. I advice you to user your users owned by actual people in ldap, and system-accounts in pwd,shadow and group <Gagatan> like e.g. root with uid 0.. never put it in ldap.. keep it in pwd+shadow <ThomsonC3_> so if i have a new user account to create, what is the best way to go about it? <ThomsonC3_> just now i use the gui to create the user, then a script to copy the details into ldap <Gagatan> ThomsonC3_: you can use a ldap usermanagement-tool.. luma,directoryadministrator,phpldapadmin etc <ThomsonC3_> what would u recommend? <Gagatan> I'm somewhat involved with luma, so if I recommend it - it wouldn't be very objective. But I think its nice <ThomsonC3_> will they create home directories to? and can they be used to delete users and groups and edit them? <ThomsonC3_> ldap seem like a good idea to me, it just seems that its integration into linux distros s <Gagatan> ThomsonC3_: try the usermanagement-module in luma and see.. they will not create homedirectories for you.. you propably want pam_mkhomedir or something in that direction for those operations.. or write a script that is called after adding new users <ThomsonC3_> hmmm <ThomsonC3_> yeah, its the manual intervention of creating the directories that annoys me <ThomsonC3_> its just something else to try and keep track of <ThomsonC3_> thanks for the advice :) <Gagatan> well, write a script that either searches ldap and make new homedirs if they don't exist (run e.g. from cron), or use pam_mkhomedir - then homedirs will be made upon first login of the user, or you can make a final script which you call with an argument (e.g. username), that searches your ldapserver, makes the homedirectories and any other wanted magic <ThomsonC3_> yeah, thats what to do. I just feel that someone needs to bring all this together. I want a distro that lets me chose ldap when i install it, and then the gui user/group manager program takes care of all the admin so i can add users like i normally do in linux but still have the advantage of using things that require ldap such as jabber servers and web ped p*word changing <ThomsonC3_> sorry, im ranting ;) <Gagatan> there are some inhouse-solutions here and there though.. making homedirs, kerberos-principals, ldapusers .. all things of crack <ThomsonC3_> so what about creating schemas? I just want to use it for storing some users, about 40, do i have to manually write a schema and add it to ldap with a shell or can these gui clients do it for me? <Gagatan> you mean like /etc/openldap/schema/.schema? or some ldif-files using existing schemas? <Gagatan> ThomsonC3_: in general, you won't be needing anything else than the usermanagement-plugin and possibly the m**usercreation if you want to add many users at once <ThomsonC3_> im not sure, i just know that before i could use ldap i had to create an ldif file which descripbed example.com <SimonRaven> ldif != schema <Gagatan> ThomsonC3_: I suggest you start working on Luma.. play around.. add some template-objects.. go back to the browser and try adding them by right-click your mouse where you want to store those objets <ThomsonC3_> so with a new server installation, which only has a root user created, what would be the steps i would take to set it up so user accounts were handles exclusivley by ldap <ThomsonC3_> handled <Gagatan> you write a rootnode-ldif just like "dc=example,dc=com" and add a container for your users (e.g. ou=users,dc=example,dc=com) <Gagatan> ok.. I answered the wrong question I think :P <Gagatan> ThomsonC3_: you have to install nss-ldap and pam-ldap for starters.. configure those.. and possibly setup autofs and autofs-ldap if you want central homedirectories <Gagatan> if you use redhat for this.. there should be some tool to help you do this.. sysconf or something.. don't remember <ThomsonC3_> I'll let you know what i need. I want one server which will run CVS and Jive-Messenger (Jabber Server). about 30 to 40 people will have to be able to access CVS and Jabber the same login details. They will also have to be able to change their p*words through a web interface. An I will have to be able to add/delete/edit users and groups (e.g. cvswrite group) <ThomsonC3_> im using CentOS 4.2, so its the same as Redhat EL4 <kusznir> ThomsonC3_ I implemented a system like you described, and avoided the home directory creation problem with the pam mkhomdir module (name may not be exact). <ThomsonC3_> does that just create home dirs when users try and log in for the first time? <kusznir> redhat uses "authconfig". It will automate most of the pam config. I haven't played with recent versions, though. <Gagatan> more or less, yes <ThomsonC3_> to be honest home dirs arent too important for what i need <kusznir> Ok, it just seemd that was one of your major complaints reading through your comments. <Gagatan> ah.. authconfig.. yes.. that might help you.. and google "pam mkhomedir" <kusznir> On my gentoo systems I set this LDAP thing on, pam mkhomedir was already present on the system. I just had to add one line to /etc/pam.d/system-auth. <kusznir> In fact, that may be an option in authconfig these days. <ThomsonC3_> ok so new server just installed so i do the following i guess: 1) turn on ldap with chkconfig, 2) use authconfig to set authentication to ldap on localhost <kusznir> Basically, if it can't find a home dir for the user where its supposed to be, it creates it using /etc/skel. (same happens when useradd creates a home dir) <kusznir> You probably want to populate your ldap directory with account info before #2. <kusznir> I have used phpldapadmin. Its a more general-purpose tool, but it does the job. If you take a bit of time to set up some defaults in its config, it can pre-populate most of the fields for you. <ThomsonC3_> and i can just do that with a gui like luma? <Gagatan> yes <kusznir> Yea, you can. If you have existing account info (for example, you want to migrate the info from your existing ldap server), you probably want to do a ldif export on the old host, move the file over to the new one, and do an ldif inport on it. <ThomsonC3_> so after i turn on ldap and install phpmyldap i can manually enter account info with phpmyldap? <ThomsonC3_> or do i have to create a schemea first? <ThomsonC3_> can phpmyldap do that for me? <Gagatan> ThomsonC3_: schema!=ldif.. you load the schemas in slapd.conf.. then you create ldap-objects using a ldap-editor/browser such as phpldapadmin,luma or other <Gagatan> ThomsonC3_: forget about schema for a while <ThomsonC3_> and after if i do migrate a pwd file to ldap should i delete the entried from pwd afterwards? <kusznir> Yes, delete entered pwd entries. <kusznir> As a general rule, you only want a pwd entry in one place. <Gagatan> keep all non-person accounts at least.. such as root, nobody etc <kusznir> Yea, you probably don't want them in ldap. <Gagatan> basically, any user with uid(Number) less than 100 <SimonRaven> basically: system users/groups : not LDAP; normal users/group : LDAP <kusznir> As for schema, you will be using the existing shema; you do NOT need to create or modify a schema for what it sounds like you're doing. <kusznir> So, once you install LDAP, configure slapd.conf as listed, then populate it with account info (migration script, luna, phpmyadmin, ldiff, or whatever else) <kusznir> Then authconfig, and you should be done :) <ThomsonC3_> ok, 1 last question =) <ThomsonC3_> what about pword encoding? <ThomsonC3_> MD5, crypt etc <ThomsonC3_> i dont know much about that <kusznir> MD5 is probably best. <Gagatan> ssha is strongest though <ThomsonC3_> so if i tell authconfig im using md5, then save pwords with phpmyadmin as md5, it will all work? <SimonRaven> md5 is directly transferrable back to unix flat file, but ssha is preferred ;) <kusznir> yes <ThomsonC3_> and will the command line program ldappwd beable to change them <SimonRaven> server does the hashing and salting, the client apps don't do that <ThomsonC3_> so they need to know about it? <ThomsonC3_> or the clients dont need to know how the pword are stored? <ThomsonC3_> and where are the pwords stored? inside the ldap database? <kusznir> yea, the pwords are stored inside the ldap database in an encrypted form. <kusznir> From my undrestanding, ldap authentication for linux consists of attempting to connect to the ldap database ("bind") as a specific user. If the connection ("bind") suceedes, the pword is correct. <ThomsonC3_> cool, and authconfig will tell the system how they are encoded so pam knows how to check the pword entered agains the hash? <kusznir> Default implementations do this cleartext; there are a variety of methods to use encryption for this, although they require additional setup on both ldap server and clients. <ThomsonC3_> should i kep my groups in a file or move them to ldap? <kusznir> depends...do you set up custom groups or just use the system defaults? <ThomsonC3_> i have a cvswrite group to allow certain users to write to cvs <kusznir> Actually, I suspect it makes sence to move them to ldap, as you'll probably be changing membership of some of thoes groups and you want that centeralized. <ThomsonC3_> and a cvsread group for read only access <kusznir> You are planning on using this info on multiple systems, right? (like have several linux systems that all use the same ldap directory for authentication,etc) <ThomsonC3_> no, just 1 <ThomsonC3_> 1 server running cvs and a jabber server <kusznir> Umm..in that case, all you're doing is complating your life by using ldap. <kusznir> ldap is a network directory service. As you can tell, its additional trouble to set up; the only advantage of doing it is so you have multiple systems sharing the same account database (you no longer have to add accounts to each system, and users have their same pword on all systems, etc) <ThomsonC3_> the reason i used it is so the jabber server could use the same login as the cvs, and so people could change their pwords for cvs and jabber with a web page rather than using an ssh client <kusznir> ok. <ThomsonC3_> so if i used md5, how do i tell ldap? <ThomsonC3_> a pam configuration? <kusznir> pam doesn't care, if I recall correctly. <kusznir> nss_ldap is the one that uses that, but I believe it actually pes the actual p*word to the ldap server, so the ldap server would md5 it and check it then. <kusznir> So the ldap server is the only one that needs to know, and it knows because it has the data. <ThomsonC3_> so how to i tell ldap server to use md5? would i need to turn off md5 in auth config so it doesnt get md5'ed twoce? <ThomsonC3_> twice <kusznir> no. <kusznir> You should be able to ignore the issue. Tell authconfig you're using md5. When you add an account to ldap, your tool should let you choose p*word format, and probably defaults to md5. Just make sure it says md5, and do it. <ThomsonC3_> cool <ThomsonC3_> thanks so much for all your help guys =) <ThomsonC3_> my work should really send me for some training before leaving me in charge of such things <liran_> hey guys <JoBbZ> blah <JoBbZ> stupid ident stuff <codebrk> what should i first look into if i try to run ldap as "./slapd" and when i look at the linux process monitor its not there (i.e. it's not actually running)? thank you <codebrk> hi if i run ./slapd locally and then use the client API ldapsearch without -H option it will default to look at the local ldap server right? <lucca> the clients like ldapsearch look in ldap.conf to see where to go by default <codebrk> its amazing how much you can learn from total strangers <codebrk> :-) <SimonRaven> yeh, URI is the recommended form, but older unupdated ldap.confs will have HOST and PORT <jasonb> what ldap browser would you recommend? (i.e. user friendly, hle-free) thanks <jasonb_> what ldap browser would you recommend? i.e. user friendly h**le free <jasonb_> and is there a c-based ldap browser you know of? <SimonRaven> there's several. pick one or 3 and have at it. try them all. luma (python), gq (unmaintained, gtk2), openldap tools (c), ... <nuck> anyone around? <nuck> i just wanted to ask what's the command line to run phpLDAPadmin browser? thankyou <liran_> uhmm, doesn't evolution support ldap configs? <CASP> hello <Gagatan> liran_: yes it does.. choose New, Addressbook, LDAP <liran_> ahh ok thanks Return to ldap or Go to some related logs: politics cache:3qFREJc3HzEJ:www.irclogs.ws/freenode/xorg/21 libdvdcss download