On Friday 03 October 2008 14:11:26 Phill Edwards wrote:
I have a linux server which provides a number of services such as samba, firewall, DNS, postfix, spam filtering etc to PCs on a small LAN. The client PCs on the LAN are Windows XP. I find it a pain when someone needs to change a password that you have to do it first on the PC, then make sure it's the same on the corresponding linux account and also for Samba. I thought I might use OpenLDAP so that there's only 1 password to change and was hoping I could use it to manage accounts. I've read a lot of HOWTOs but still have some questions.
- Can I use an OpenLDAP frontend (eg JXplorer) and OpenLDAP to create
new accounts on a linux machine, specify the group and have it create a new home dir etc (like when you run useradd)?
JXPlorer is a relatively generic LDAP frontend. I would probably set smbldap- tools up correctly, and consider setting samba up as a domain controller (with accounts in LDAP). If done correctly, and you really need a GUI on Windows, "User manager for Domains" would work ...
smbldap-tools includes LDAP-enabled equivalents of {user,group}{add,mod,del}. I personally don't worry too much about creating the home directory at creation of the account in LDAP, as I use pam_mkhomedir to ensure that users get their home directory created wherever appropriate.
(The samba-specific aspects here are best discussed on a samba list).
- Does openldap replace the need to have the accounts in /etc/passwd?
No, but nss_ldap (not part of OpenLDAP) can read accounts from a directory server (including OpenLDAP), and present them to glibc as if they were in /etc/passwd.
The combination of nss_ldap and a directory server does replace the need for local accounts.
However, while you can authentication users with nss_ldap (via pam_unix etc.), you may prefer to consider using pam_ldap (or even better, pam_krb5 with Kerberos also using the accounts in LDAP) instead.
Once I've copied the existing linux accounts from /etc/passwd, should I delete them from /etc/passwd using userdel so that I don't have the account in two places?
Yes.
- I also want to use OpenLDAP to provide a common address book which
will be used mainly by Outlook. I know that Outlook can query the LDAP address book, but can it also update it?
Not natively.
It seems that there are lots of apps to query OpenLDAP but updating the entries is a little arcane.
Kmail and Evolution both work fine for me. If your OS has bad LDAP support ... well ...
Regards, Buchan