[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Ldap Administration Tool

I've gotten around to package some of the stuff I'm using when I'm
administrating the users on "my" installations.

And since you're missing a tool to Administrate the ldap installation in
Debian-Edu, I've made it available. It's a rewrite of a bunch of tools,
not everything is in there yet, here is what's on the todo-list so far.
Add support for
- Disabling account (set new password for now)
- Removing users
- Mass import users
- Letting the users decide on their own password
- Machine Administration. (including net-group)
- Automount information

The package is availlible from

One difference between my installations and a DebianEdu installation is
that I don't have one single OU for all the users
(ou=People,dc=skole,dc=skolelinux,dc=no), but instead use on ou for each
school, and different OU for students(Users) and Teachers(admins).
So typically there is a

This means that its easy for me to add the rights to change password on
the children's school to some, and to change the password on the you
To make it easier to give _some_ local admins the rights to add users as
well, the users personal groups are stored in the same ou as the user

A second thing that is nice to have, is an address book in ldap. instead
of having to manage a different tree for the contacts (well contacts can
have their own tree, but not users...) I prefer to use the objectClass
courierMailAccount, instead of the home brewed imapUser.
To make use of courierMailAccount, you need to run these commands:
 cp /usr/share/doc/courier-authlib-ldap/authldap.schema.gz \
 gunzip /etc/ldap/schema/authldap.schema.gz
Then add authldap.schema to the schema section of /etc/ldap/slapd.conf,
and restart slapd

Also I don't normally use the lisGroup thing, so it had to be added
back.  I do expect some bugs there.

About authentication:
 when you're asked for a username or password, it tries to look up the
user in ldap. if you enter admin and the ldap admin password, you will
connect as ldap admin. you can also enter you normal username, and user
password, and you will get the permission your users is set up with.
The password for the authenticated user are stored in a coockie, using a
session key from the server to "encrypt" the password (strings are xor'ed).

To get it to work on the test02-image:
First it's nice to enable apt to fetch packages from your favourite
apt-source (the needed packages are not availible on the test02 cd)
then fetch and install lwat:
 wget http://bzz.no/~finnarne/lwat/lwat_0.4-0_all.deb
 dpkg -i lwat_0.4-0_all.deb
you will get some errors, so you need to
 aptitude install
and make sure you get the dependencies into place
I pressed "n" to the suggested solutions, until it suggested this:
 Install the following packages:
 libapache2-mod-php5 [5.2.0-7 (testing)]
 libcrypt-smbhash-perl [0.12-1 (testing)]
 libdigest-md4-perl [1.5-1 (testing)]
 libxml2 [2.6.27.dfsg-1 (testing)]
 php5-common [5.2.0-7 (testing)]
 php5-ldap [5.2.0-7 (testing)]

This will download 3430kB

Also, there is some bug in the setup of slapd, so the indeces are wrong,
and stuff. It may be a result of trying to use slapadd as root, and not
as the user openldap. Here is a trick that solves the problem
 invoke-rc.d slapd stop
 chown openldap:openldap /var/lib/ldap/*
 invoke-rc.d slapd start

then I pointed my browser to "http://tjener/lwat/";

Of course, I should have used ssl instead, but that's another issue.

Finn-Arne Johansen
faj@bzz.no http://bzz.no/
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642

Reply to: