Ldap Administration Tool
I've gotten around to package some of the stuff I'm using when I'm
administrating the users on "my" installations.
And since you're missing a tool to Administrate the ldap installation in
Debian-Edu, I've made it available. It's a rewrite of a bunch of tools,
not everything is in there yet, here is what's on the todo-list so far.
Add support for
- Disabling account (set new password for now)
- Removing users
- Mass import users
- Letting the users decide on their own password
- Machine Administration. (including net-group)
- Automount information
The package is availlible from
http://bzz.no/~finnarne/lwat/
One difference between my installations and a DebianEdu installation is
that I don't have one single OU for all the users
(ou=People,dc=skole,dc=skolelinux,dc=no), but instead use on ou for each
school, and different OU for students(Users) and Teachers(admins).
So typically there is a
ou=studprimry,dc=some,dc=org
ou=studsecondary,dc=some,dc=org
ou=teachprimary,dc=some,dc=org
ou=teachsecondary,dc=some,dc=org
This means that its easy for me to add the rights to change password on
the children's school to some, and to change the password on the you
To make it easier to give _some_ local admins the rights to add users as
well, the users personal groups are stored in the same ou as the user
account.
A second thing that is nice to have, is an address book in ldap. instead
of having to manage a different tree for the contacts (well contacts can
have their own tree, but not users...) I prefer to use the objectClass
courierMailAccount, instead of the home brewed imapUser.
To make use of courierMailAccount, you need to run these commands:
cp /usr/share/doc/courier-authlib-ldap/authldap.schema.gz \
/etc/ldap/schema
gunzip /etc/ldap/schema/authldap.schema.gz
Then add authldap.schema to the schema section of /etc/ldap/slapd.conf,
and restart slapd
Also I don't normally use the lisGroup thing, so it had to be added
back. I do expect some bugs there.
About authentication:
when you're asked for a username or password, it tries to look up the
user in ldap. if you enter admin and the ldap admin password, you will
connect as ldap admin. you can also enter you normal username, and user
password, and you will get the permission your users is set up with.
The password for the authenticated user are stored in a coockie, using a
session key from the server to "encrypt" the password (strings are xor'ed).
To get it to work on the test02-image:
First it's nice to enable apt to fetch packages from your favourite
apt-source (the needed packages are not availible on the test02 cd)
then fetch and install lwat:
wget http://bzz.no/~finnarne/lwat/lwat_0.4-0_all.deb
dpkg -i lwat_0.4-0_all.deb
you will get some errors, so you need to
aptitude install
and make sure you get the dependencies into place
I pressed "n" to the suggested solutions, until it suggested this:
Install the following packages:
libapache2-mod-php5 [5.2.0-7 (testing)]
libcrypt-smbhash-perl [0.12-1 (testing)]
libdigest-md4-perl [1.5-1 (testing)]
libxml2 [2.6.27.dfsg-1 (testing)]
php5-common [5.2.0-7 (testing)]
php5-ldap [5.2.0-7 (testing)]
This will download 3430kB
Also, there is some bug in the setup of slapd, so the indeces are wrong,
and stuff. It may be a result of trying to use slapadd as root, and not
as the user openldap. Here is a trick that solves the problem
invoke-rc.d slapd stop
slapindex
chown openldap:openldap /var/lib/ldap/*
invoke-rc.d slapd start
then I pointed my browser to "http://tjener/lwat/";
Of course, I should have used ssl instead, but that's another issue.
--
Finn-Arne Johansen
faj@bzz.no http://bzz.no/
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642
Reply to: