several questions about ldap (adding new groups/users/etc)
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
several questions about ldap (adding new groups/users/etc)
Sorry for the generic thread title but not sure how to cram my questions into a short subject.
I have successfully set up an ldap server on CentOS 5.2 server. I can log onto a client machine using the user I created. My questions are geared towards maintenance as my user/groups list grow.
Whats the best way to add new users and new groups?
Ive seen several references to migrating the passwd/shadow files into ldap files but Im not sure I want to go that route. I'd rather keep all the users/groups in the ldap directory and away from having them locally on my ldap server and then migrating them into ldap.
I created an initial groups.ldif file and an initial users.ldif file. But if I try to add new users and groups I get errors:
get this error:
modifying entry "cn=test,ou=Group,dc=domain,dc=com"
ldap_modify: No such object (32)
I can add a new file and run the same command with the new file name and it runs successfully. But I would rather not have a new file every time I create a new user/group.
matched DN: ou=Group,dc=domain,dc=com
Whats the best way to add new users and new groups?
IMHO the best way to add entries in openldap is to use ldapadd with the appropriate ldif file.
Quote:
I can add a new file and run the same command with the new file name and it runs successfully. But I would rather not have a new file every time I create a new user/group.
If you prefer using the ldapmodify utility with the same ldif (by adding entries at the end of the file) then you have to use -ac options (add and continue on errors):
Decided to install phpldapadmin to see if it would be easier to manage my users/etc. So far I like it, it does make adding users/groups easier. But one thing I can't figure out how to do is add multiple groups to a user.
When I add a user I can add a gidNumber for its primary group. But I can not figure out how to add secondary groups. I have several groups added in their own ou.
Any hints on how to add multiple groups to a user?
Hmmmm, I followed the link and wasn't smart enough to figure it out based on the discussion so I googled groupofnames and found a way to add it using phpldapadmin. Upon further review I dont think this is going to work for me. I need to add users to groups so they can perform work on the servers as member of a group. Say I want to my web guy to edit the website, so I add him to the apache group, but I also need him to be a part of the mysql group because some of the website functions run through mysql. He needs to be a member of both groups. Right now I can only assign him to one group.
I think the groupofnames is for organization maybe? And not to grant access.
Actually I've searched for the memberof attribute in openldap and ended up on that link.
I'm aware of this attribute because we also use the Sunone Directory Server where it is available, along with acls defining roles for users depending on this atttribute. Sort of what you want to do with openldap.
You can give it a try as it's free for download and see if it fits your needs.
BTW what happens if you assign more that one member attribute to a user, like the example in the link I gave you? Assuming of course that you have also added the groupOfNames objectclass
Ive already removed those entries. But from what I can remember it created a listing under my Group with the new cn=newgroupname and it had as memebers the 2 members I added. But there was no gidNumber or any number suggesting that it had any group level privileges and when i did an "id username" on one of my ldap clients it just listed its original group.
I think with some combination of ldapmodify and something along this line should work. Ive tried several different combos and keep getting errors.
When I tried that(changing the values for my setup) it actually added a new group under my Group list. There has to be a way to add a group to a user through something similiar.
Turns out I was making this much harder than it was.
When I made my groups under
ou=Group,dc=domian,dc=com
I didnt create them right, even though I had created them as Posix Group. I added a new one in phpldapadmin and it let me give it a gidNumber and memberUid. I can just add members to the memberUid and it adds them to that group.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.