RE: Debian and LDAP

Sat, 15 Mar 2003 18:55:24 -0800 

I've attached two Perl scripts which may or may not
come through.  One is the LDAP-aware version of
useradd, the other the LDAP-aware version of passwd.
If they don't come through, let me know and I'll
send them privately.

You don't have to create all the accounts manually,
there are "migration tools" to help complete this task.
IIRC, http://www.padl.org/ has some scripts.

As for a user being a member of multiple groups,
the groups go into a separate organizational unit
("ou=groups", usually), and each user that is a member
of this group is included under this, "member: username",
IIRC.

HTH.

j.

--
Jeremy L. Gaddis   <[EMAIL PROTECTED]>   <http://www.gaddis.org>



> -----Original Message-----
> From: Aaron Isotton [mailto:[EMAIL PROTECTED] 
> Sent: Saturday, March 15, 2003 3:12 AM
> To: [EMAIL PROTECTED]
> Subject: Debian and LDAP
> 
> 
> 
> Hi,
> 
> I'm setting up a Debian machine with LDAP authentication (the LDAP
> Server runs on the Debian machine, and should be used for 
> authentication
> both locally and on remote machines, but that's not the problem).
> 
> The LDAP Server runs fine, and both local and remote users can
> authenticate from it.  I'm doing this the first time, and so 
> I run into
> a few problems:
> 
> - How can I manage the accounts in a sensible way?  useradd 
> and the like
> seem not to use PAM, so I can't use them; until now I've used
> directory-administrator and gq to manage the accounts, but I have a
> strong dislike for GUI programs for such tasks.  I know I can use
> ldapadd/ldapmodify to manage accounts, but I'm not yet good enough in
> LDIF to do that.  Is there any useradd-like tool which uses PAM?
> 
> - Using useradd etc every user has also his own group.  Do I *really*
> have to create all of them by hand?
> 
> - How do I add a user to more than one group?
> 
> - I'd like to allow some users to log in on the server (via ssh, for
> example) and others not BUT everybody should be able to log in to the
> workstations (which authenticate off the server).  Thus setting the
> shell to /bin/false is not an option.  It'd be ideal if it 
> could be done
> by group (ex. all users in the group "it" can log in on the 
> server, the
> others can't).  Is there any solution for this?
> 
> Thanks a lot.
> 
> Aaron Isotton                                 [ 
http://www.isotton.com ]
--
If you can't understand it, it is intuitively obvious.

Attachment: ldapchpasswd.pl
Description: Binary data

Attachment: ldapuseradd.pl
Description: Binary data

Reply via email to