Hi,
Is there an equivalent of a useradd for systems that are using LDAP user management? I know I can build an LDIF file and import it, but it is a bit of a pain to do it manually all the time.
Is there not an easier / faster way?
Thanks,
Eric
Is there an equivalent of a useradd for systems that are using LDAP user management? I know I can build an LDIF file and import it, but it is a bit of a pain to do it manually all the time.
Is there not an easier / faster way
Smbldap-tools https://gna.org/projects/smbldap-tools/
Is there an equivalent of a useradd for systems that are using LDAP user management? I know I can build an LDIF file and import it, but it is a bit of a pain to do it manually all the time.
Is there not an easier / faster way
Smbldap-tools https://gna.org/projects/smbldap-tools
I forgot the web interfaces to LDAP. You can use a web browser to administer your LDAP database:
LDAP Account Manager http://www.ldap-account-manager.org/lamcms/
PHPldapadmin http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page
I use both, depending on the particular need I have at the moment.
"Miguel Medalha" miguelmedalha@sapo.pt wrote in message news:4A89A97D.5070701@sapo.pt...
Is there an equivalent of a useradd for systems that are using LDAP user management? I know I can build an LDIF file and import it, but it is a bit of a pain to do it manually all the time.
Is there not an easier / faster way
Smbldap-tools https://gna.org/projects/smbldap-tools/
Isn't that only for samba-ldap? Can I still use them if I am not running samba? I don't want to install and run Samba for no particular reason...
Thanks,
Eric
Isn't that only for samba-ldap? Can I still use them if I am not running samba? I don't want to install and run Samba for no particular reason..
It can be used to create Posix accounts only.
The documentation resides here:
On Mon, 17 Aug 2009, Miguel Medalha wrote:
Isn't that only for samba-ldap? Can I still use them if I am not running samba? I don't want to install and run Samba for no particular reason..
It can be used to create Posix accounts only.
The documentation resides here:
The samba-ldap tools are great. I don't use their mechanism to store the highest UID/GID in use. Instead, I use a script like the one below. It's interactive, but it'd be to modify to take command-line options for full name, username, etc.
----- %< ----- #!/bin/sh # # script for creating a new user account and its corresponding # group account in Samba+LDAP environment using the smbldap tools # ======================================================================
# # let person running this script know what's about to happen # cat <<__eom__
You're about to create a new system account that allows general login and e-mail access. You'll need to know ahead of time the new user's preferred username and his or her full name. The system will take care of the rest...
__eom__
# # figure out the highest UID and GID currently in production, but # rule out really high numbers (greater than 8000) which are typically # assigned to pseudo accounts like "nobody." # AWKTEST='END { print HUID } { if (($3 > HUID) && ($3 < 8000)) HUID = $3}' HUID=$(/usr/bin/getent passwd | /bin/gawk -F: "$AWKTEST") HGID=$(/usr/bin/getent group | /bin/gawk -F: "$AWKTEST")
# # increment those UID and GID numbers by 1 for use with the new # account # let HUID=$HUID+1 let HGID=$HGID+1
# # poll for new account holder's username and full name. # read -p "Username: " UNAME read -p "Full name: " FNAME
# # test to see if username or associated group name is already in use. # exit now if it is. # /usr/bin/getent passwd $UNAME >/dev/null if test $? -eq 0; then echo "" >/dev/stderr echo "Sorry. Username $UNAME is already in use:" >/dev/stderr /usr/bin/getent passwd $UNAME >/dev/stderr echo "" >/dev/stderr echo "Exiting now." >/dev/stderr exit 1 fi /usr/bin/getent group $UNAME >/dev/null if test $? -eq 0; then echo "" >/dev/stderr echo "Sorry. Group $UNAME is already in use:" >/dev/stderr /usr/bin/getent group $UNAME >/dev/stderr echo "" >/dev/stderr echo "Exiting now." >/dev/stderr exit 1 fi
# # ask the account creator to verify details of the new account. exit # immediately if things are amiss. # echo echo "Please verify the details of the new account:" echo "=============================================" echo "Full name : $FNAME" echo "Username : $UNAME" echo "UID : $HUID" echo "Group name: $UNAME" echo "GID : $HGID" echo "=============================================" echo read -p "Do you want to create that account [yes/No]? " ANSWER
case "$ANSWER" in [yY]es) echo echo "OK. Full steam ahead!" echo ;; [yY]*) echo echo "If you mean 'yes' then you have to type 'yes'" echo exit ;; *) echo echo "You're a cautious one. That's cool. Try again later." echo exit ;; esac
# # use the smbldap tools to create the new group account and then # the new user account. those tools don't appear to set the Windows # display-name attibute correctly, however, so use pdbedit for # that task. # echo "Creating new group $UNAME with GID $HGID ..." /usr/sbin/smbldap-groupadd -a -g $HGID $UNAME echo "Creating new user $UNAME with UID $HUID ..." /usr/sbin/smbldap-useradd -a -c "$FNAME" -g $HGID -u $HUID $UNAME echo "Setting Windows display name for user $UNAME ..." /usr/bin/pdbedit -f "$FNAME" $UNAME
# # for now, create a random password for the new account, just # to make sure account is not accessed accidentally ... # echo "Installing temporary random password for user $UNAME ..." PASSW=$(/usr/bin/openssl rand -base64 12) echo -e "$PASSW\n$PASSW" | /usr/bin/smbpasswd -s $UNAME
# # all done! # echo echo "done ... for now ..." echo ----- %< -----
Hi,
On Mon, Aug 17, 2009 at 15:00, Eric B.ebenze@hotmail.com wrote:
Is there an equivalent of a useradd for systems that are using LDAP user management? I know I can build an LDIF file and import it, but it is a bit of a pain to do it manually all the time.
You can try "libuser", it's available in CentOS 5 (yum install libuser) and apparently has support for LDAP.
"libuser" is an attempt to generalize the useradd/mod/del, groupadd/mod/del commands to work with generic backends. The implementation includes a module to work with an LDAP backend, I just don't know how functional/stable it is...
You can start by installing the package and having a look at /etc/libuser.conf, and at the commands luseradd, lgroupadd, ... (the same ones you already use, only with the "l" prefix.)
For more information: https://fedorahosted.org/libuser/
HTH, Filipe
You can try "libuser", it's available in CentOS 5 (yum install libuser) and apparently has support for LDAP.
"libuser" is an attempt to generalize the useradd/mod/del, groupadd/mod/del commands to work with generic backends. The implementation includes a module to work with an LDAP backend, I just don't know how functional/stable it is...
That is a very interesting information! Thank you!
"Filipe Brandenburger" filbranden@gmail.com wrote in message news:e814db780908171213h581bf267m10a95ab837be49d8@mail.gmail.com...
Is there an equivalent of a useradd for systems that are using LDAP user management? I know I can build an LDIF file and import it, but it is a bit of a pain to do it manually all the time.
You can try "libuser", it's available in CentOS 5 (yum install libuser) and apparently has support for LDAP.
"libuser" is an attempt to generalize the useradd/mod/del, groupadd/mod/del commands to work with generic backends. The implementation includes a module to work with an LDAP backend, I just don't know how functional/stable it is...
You can start by installing the package and having a look at /etc/libuser.conf, and at the commands luseradd, lgroupadd, ... (the same ones you already use, only with the "l" prefix.)
For more information: https://fedorahosted.org/libuser/
Thanks. I tried it out but can't seem to get it to work for me. Doesn't display any error msgs, but doesn't actually do anything to the LDAP server. I've looked at the site, but it is incredibly bare; not even any links for mailing lists, support, etc. Any ideas where I might be able to find some help for it? I enabled full logging on my OpenLDAP server, and I see it failing with TLS negotiaiton for some reason, even when I don't want it to use TLS.
Any thoughts where I can find more info?
Thanks,
Eric
On Aug 17, 2009, at 4:51 PM, "Eric B." ebenze@hotmail.com wrote:
Any ideas where I might be able to find some help for it? I enabled full logging on my OpenLDAP server, and I see it failing with TLS negotiaiton for some reason, even when I don't want it to use TLS.
'man libuser.conf' worked well for me. from this doc you will learn that libuser requires either TLS or a ldaps:// URI.
-steve
"Steve Huff" shuff@vecna.org wrote in message news:3FA0BDAB-B7D0-42B7-8615-5A7FD2F84FBA@vecna.org...
On Aug 17, 2009, at 4:51 PM, "Eric B." ebenze@hotmail.com wrote:
Any ideas where I might be able to find some help for it? I enabled full logging on my OpenLDAP server, and I see it failing with TLS negotiaiton for some reason, even when I don't want it to use TLS.
'man libuser.conf' worked well for me. from this doc you will learn that libuser requires either TLS or a ldaps:// URI.
I've read through libuser.conf and the specific for ldap server says: "A domain name or an URI of the LDAP server. The URI can use the ldap or the ldaps protocol. When a simple domain name is used, the connection fails if TLS can not be used; an URI using the ldap protocol allows connection without TLS. Default value is ldap."
My libuser.conf reads: server ldap://snoopy.domain.com/
According to the man pages, this should allow for the connection without TLS.
Thoughts?
Thanks,
Eric
On Tue, Aug 18, 2009, Eric B. wrote:
"Steve Huff" shuff@vecna.org wrote in message news:3FA0BDAB-B7D0-42B7-8615-5A7FD2F84FBA@vecna.org...
On Aug 17, 2009, at 4:51 PM, "Eric B." ebenze@hotmail.com wrote:
Any ideas where I might be able to find some help for it? I enabled full logging on my OpenLDAP server, and I see it failing with TLS negotiaiton for some reason, even when I don't want it to use TLS.
'man libuser.conf' worked well for me. from this doc you will learn that libuser requires either TLS or a ldaps:// URI.
I've read through libuser.conf and the specific for ldap server says: "A domain name or an URI of the LDAP server. The URI can use the ldap or the ldaps protocol. When a simple domain name is used, the connection fails if TLS can not be used; an URI using the ldap protocol allows connection without TLS. Default value is ldap."
My libuser.conf reads: server ldap://snoopy.domain.com/
According to the man pages, this should allow for the connection without TLS.
Which man pages?
As I read it, the libuser.conf file specifically says that it requires TLS which can connect to the ldap: URL, then requests a secure connection. It sounds pretty sane to me that it requires a secure LDAP connection to handle user maintenance.
Bill
"Bill Campbell" centos@celestial.com wrote in message news:20090818153023.GA23290@ayn.mi.celestial.com...
Any ideas where I might be able to find some help for it? I enabled full logging on my OpenLDAP server, and I see it failing with TLS negotiaiton for some reason, even when I don't want it to use TLS.
'man libuser.conf' worked well for me. from this doc you will learn that libuser requires either TLS or a ldaps:// URI.
I've read through libuser.conf and the specific for ldap server says: "A domain name or an URI of the LDAP server. The URI can use the ldap or the ldaps protocol. When a simple domain name is used, the connection fails if TLS can not be used; an URI using the ldap protocol allows connection without TLS. Default value is ldap."
My libuser.conf reads: server ldap://snoopy.domain.com/
According to the man pages, this should allow for the connection without TLS.
Which man pages?
As I read it, the libuser.conf file specifically says that it requires TLS which can connect to the ldap: URL, then requests a secure connection. It sounds pretty sane to me that it requires a secure LDAP connection to handle user maintenance.
libuser.conf man page says that "a URI using the ldap protocol allows connection without TLS". I specified my server to be: server = ldap://snoopy.domain.com./
but still seems to fail on TLS.
So, just to be on the safe side, I generated a self-signed certificate for the OpenLDAP server (am using the default one that is installed in /etc/pki/tls/certs/. I restarted the openldap server, and tested it using Apache Directory Studio with TLS enabled. Works fine.
I then tried my luseradd command, but it still fails with the same errors negotiating the TLS certificate. I even tried modifying the /etc/ldap.conf file: tls_checkpeer no tls_reqcert never
but it still seems to fail with the same TLS error.
Any suggetsions / ideas?
Thanks!
Eric
Hi,
On Tue, Aug 18, 2009 at 12:50, Eric B.ebenze@hotmail.com wrote:
Any suggetsions / ideas?
I believe you have to copy the certificate to /etc/openldap/cacerts/ in the LDAP client. The certificate file name there is special, it should be hashed from the certificate data... I believe the easiest way to install it there is using the "authconfig" command and specifying the certificate URL.
You should also have TLS_CACERTDIR /etc/openldap/cacerts on /etc/openldap/ldap.conf (not only /etc/ldap.conf, they are different!)
I also did not have much luck with self-signed certificates with LDAP, I had to create a self-signed certificate for a "dummy" CA, and then use that certificate to sign a certificate for the LDAP server with the server's name as a cn.
I believe you should be able to test it using "ldapsearch" with the "-Z" and "-ZZ" options in order to require TLS and see if that works. I suggest you first get that part working fine before going on with your libuser configuration...
LDAP with TLS is kind of a pain to set up... but once it is running it really works OK.
HTH, Filipe
"Filipe Brandenburger" filbranden@gmail.com wrote in message news:e814db780908181007g454b680ar30aaaef7ab19a3b@mail.gmail.com...
Hi,
On Tue, Aug 18, 2009 at 12:50, Eric B.ebenze@hotmail.com wrote:
Any suggetsions / ideas?
I believe you have to copy the certificate to /etc/openldap/cacerts/ in the LDAP client. The certificate file name there is special, it should be hashed from the certificate data... I believe the easiest way to install it there is using the "authconfig" command and specifying the certificate URL.
You should also have TLS_CACERTDIR /etc/openldap/cacerts on /etc/openldap/ldap.conf (not only /etc/ldap.conf, they are different!)
I also did not have much luck with self-signed certificates with LDAP, I had to create a self-signed certificate for a "dummy" CA, and then use that certificate to sign a certificate for the LDAP server with the server's name as a cn.
I believe you should be able to test it using "ldapsearch" with the "-Z" and "-ZZ" options in order to require TLS and see if that works. I suggest you first get that part working fine before going on with your libuser configuration...
LDAP with TLS is kind of a pain to set up... but once it is running it really works OK.
Thanks. You're a genius. I struggled a lot, but think I finally managed to get something working. I tried to follow the openldap faq at http://www.openldap.org/faq/data/cache/185.html for creating CA certificates, but my shell script is called CA not CA.sh.
I've done the following: # cd /etc/pki/tls/misc/ # ./CA -newca (filled in all prompted information, and gave it a pwd) # openssl req -new -nodes -keyout newreq.pem -out newreq.pem (filled in all prompted information) # CA.sh -sign # cp /etc/pki/CA/cacert.pem /etc/openssl/cacerts/ # cp newcert.pem /etc/openssl/ssl/servercrt.pem # cp newreq.pem /etc/openssl/ssl/serverkey.pem
Then updated my slapd.conf to show: TLSCACertificateFile /etc/openldap/cacerts/cacert.pem TLSCertificateFile /etc/openldap/ssl/servercrt.pem TLSCertificateKeyFile /etc/openldap/ssl/serverkey.pem
Then updated /etc/ldap.conf to show: tls_cacert /etc/openldap/cacerts/cacert.pem
Finally /etc/openssl/ldap.conf: TLS_CACERT /etc/openldap/cacerts/cacert.pem
Restart the slapd daemon # service ldap restart
And I can finally get ldapsearch to work. Although I tried tls_cacertdir for both /etc/ldap.conf and /etc/openldap/ldap.conf and it doesn't work for some odd reason. Not sure why.
# ldapsearch -Z -x "(uid=eric)" <returns the ldif entry for uid=eric>
So next test was to create a new user. luseradd foo works perfect. I find it in my ldap tree as expected. All I had to do is modify the create_modules and modules to specify ldap only (to avoid it modifying the passwd and shadow files), and everything seems to be working.
Thanks for your help!
Eric
On Mon, 2009-08-17 at 15:00 -0400, Eric B. wrote:
Hi,
Is there an equivalent of a useradd for systems that are using LDAP user management? I know I can build an LDIF file and import it, but it is a bit of a pain to do it manually all the time.
Is there not an easier / faster way?
---- Webmin http://www.webmin.com
Use the LDAP Users and Groups module
I use this everywhere I go
Craig
"Craig White" craigwhite@azapple.com wrote in message news:1250547989.4486.6.camel@lin-workstation.azapple.com...
On Mon, 2009-08-17 at 15:00 -0400, Eric B. wrote:
Hi,
Is there an equivalent of a useradd for systems that are using LDAP user management? I know I can build an LDIF file and import it, but it is a bit of a pain to do it manually all the time.
Is there not an easier / faster way?
Webmin http://www.webmin.com
Use the LDAP Users and Groups module
I use this everywhere I go
I'll take a look at it. But to be honest, I tried webmin years and years ago (maybe 8 or 10 or so?) and was somewhat disappointed with it. Plus, I found it to be a serious sercurity hole at the time. Since then, I haven't really taken a look at it since. Maybe I'll give it a quick look at again. But I still would want a console-based option available.
Thanks,
Eric
-
Bill Campbell -
Craig White -
Eric B. -
Filipe Brandenburger -
Miguel Medalha -
Paul Heinlein -
Steve Huff