On Tue, Oct 28, 2014 at 11:03:44AM -0300, Net Warrior wrote:
1 - Well, users only authenticate their passwords, nothing else, on the client side to login to the server, so I guess anon logins should not be allowed.
So is the LDAP service just used to provide passwd and group databases for Unix-like systems, and not for any other purpose?
2 - I use the Manager account to login to the phplpdapadmin console or apache directory studio.
If my guess above is right then you have missed a very important class of LDAP user. Every Unix-like server must access LDAP data. Do your Unix/Linux systems bind to LDAP with specific DNs? (This will be configured in files such as /etc/ldap.conf /etc/nslcd.conf /etc/sssd.conf etc...)
3 - Password and groups and ppolicy 4 - Using pam on the client side, a human is expected to provide username and password which is working along with the ppolicy, expiration time , password lenght and so on. I can provide how's configured if you want.
Right, so the account(s) used by the Unix-like systems must be able to search based on username, groupname, numeric UID and numeric GID. Those accounts must also be able to retrieve most attributes from the LDAP entries (though not the password value).
I assume you allow users to change their own passwords. How is this handled? Are users allowed to update any other details, or do all changes come to you?
Andrew