[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian and LDAP

Aaron Isotton said:
>
> - How can I manage the accounts in a sensible way?  useradd and the like
> seem not to use PAM, so I can't use them; until now I've used
> directory-administrator and gq to manage the accounts, but I have a strong
> dislike for GUI programs for such tasks.  I know I can use
> ldapadd/ldapmodify to manage accounts, but I'm not yet good enough in LDIF
> to do that.  Is there any useradd-like tool which uses PAM?

I use ldapexplorer in combo with ldapmodify/ldapadd. I plan someday
to write a perl script to manage users, I'm still a perl newbie though.

> - Using useradd etc every user has also his own group.  Do I *really* have
> to create all of them by hand?

if you want each user in their own group then yeah.


> - How do I add a user to more than one group?

set the memberUid attribute in the group.
e.g.

dn: cn=cdwrite,ou=Group,o=aphroland,c=us
objectClass: posixGroup
objectClass: top
cn: cdwrite
gidNumber: 80
memberUid: aphro
memberUid: laze


> - I'd like to allow some users to log in on the server (via ssh, for
> example) and others not BUT everybody should be able to log in to the
> workstations (which authenticate off the server).  Thus setting the shell
> to /bin/false is not an option.  It'd be ideal if it could be done by
> group (ex. all users in the group "it" can log in on the server, the
> others can't).  Is there any solution for this?

this should work for your needs:
http://howto.aphroland.de/HOWTO/LDAP/ConfiguringHostBasedAccessWithLDAP

nate
Reply to: