On Sep 18, 2016, at 2:25 PM, John Lewis oflameo2@gmail.com wrote:
Right now I am trying to weigh my options for maintaining my POSIX accounts on an OpenLDAP tree.
I learned today that ldap templates in ldapscripts really don't work, so if I want to go on using ldapscripts, I would have to run ldapmodify after every account is created to get the gecos configured properly and have a kerberos principal configured.
You could use an IdM product like midPoint to manage the RFC2307ish attributes in the directory.
https://wiki.evolveum.com/display/midPoint/LDAP+PosixAccount+and+PosixGroup+...
On 19 September 2016 at 14:01, Shawn McKinney smckinney@symas.com wrote:
On Sep 18, 2016, at 2:25 PM, John Lewis oflameo2@gmail.com wrote:
Right now I am trying to weigh my options for maintaining my POSIX accounts on an OpenLDAP tree.
I learned today that ldap templates in ldapscripts really don't work, so if I want to go on using ldapscripts, I would have to run ldapmodify after every account is created to get the gecos configured properly and have a kerberos principal configured.
You could use an IdM product like midPoint to manage the RFC2307ish attributes in the directory.
https://wiki.evolveum.com/display/midPoint/LDAP+ PosixAccount+and+PosixGroup+Management
For long time I am using LdapAdmin http://www.ldapadmin.org/
It is portable, no installation needed.
I am using it to manage OpenLdap mainly but also I am managing ActiveDirectory (only some fatures), Nokia NDS, etc.
No problems so far.
Saša-Stjepan Bakša wrote:
On 19 September 2016 at 14:01, Shawn McKinney smckinney@symas.com wrote:
On Sep 18, 2016, at 2:25 PM, John Lewis oflameo2@gmail.com wrote:
Right now I am trying to weigh my options for maintaining my POSIX accounts on an OpenLDAP tree.
I learned today that ldap templates in ldapscripts really don't work, so if I want to go on using ldapscripts, I would have to run ldapmodify after every account is created to get the gecos configured properly and have a kerberos principal configured.
You could use an IdM product [..]
For long time I am using
IMO it would be better to just refer to the FAQ index entry:
http://www.openldap.org/faq/data/cache/271.html
And add/update missing entries/information therein.
To the original poster: While I'm the author of one such tool (and therefore personally biased towards that) I'd recommend to use your favourite scripting language with a decent LDAP module to write your own custom tool. With such a solution you have full control and you can easily make use of any existing data in your organization without having to setup a big infrastructure.
Ciao, Michael.
On 09/20/2016 09:56 AM, Michael Ströder wrote:
While I'm the author of one such tool (and therefore personally biased towards that) I'd recommend to use your favourite scripting language with a decent LDAP module to write your own custom tool. With such a solution you have full control and you can easily make use of any existing data in your organization without having to setup a big infrastructure.
While I'm author of another such tool (and therefore also personally biased) I would suggest against home-brew development. Unless you have at least 2-5 man-years at your disposal. Developing IDM solution is much (much!) harder than it seems. Been there, done that. My recommendation would be to reuse something that is already there. It is almost alway better to join an existing project than to re-invent square wheel over and over again. There are several projects to choose from.
Unless of course your requirements are extremely simple and they will remain simple forever. In that case even a home-brew solution might work.
openldap-technical@openldap.org
-
Michael Ströder -
Radovan Semancik -
Saša-Stjepan Bakša -
Shawn McKinney