Thanks Carlos! I've followed through and it worked. Now I've tried to add a couple of groups using both YaST and groupadd and noticed that the groups after being added appear differently in the tree: # ldapsearch -x -D "cn=admin,dc=biocl,dc=weizmann,dc=ac,dc=il" 'objectclass=*' -W Added with YaST2; # pietro_blocks, bioinfo, biocl.weizmann.ac.il dn: cn=pietro_blocks,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il cn: pietro_blocks gidNumber: 6972 objectClass: top objectClass: namedObject objectClass: posixGroup Added with groupadd: # pietro_lab, bioinfo, biocl.weizmann.ac.il dn: cn=pietro_lab,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il objectClass: posixGroup objectClass: groupOfNames cn: pietro_lab gidNumber: 6973 member: Do you know why the difference and how should I proceed about this? I need to do a bulk add of both groups and users. Also I need to delegate the user management to someone who probably won't run YaST2. On Thu, Apr 10, 2008 at 10:28 PM, Carlos Lorenzo Matés wrote:

Hi

El Jueves, 10 de Abril de 2008, Michael Green escribió:

...

Hi,

I'm LDAP newbie, finding my way with configuration of the my first LDAP server on SLES10 SP1.

The requirement is that users that access the server via ssh should be authenticated against locally running (i.e. on the same server) LDAP server.

1. Should I install PAM-LDAP rpm package to make such setup work?

2. What is the role of NSS_LDAP package? My understanding it has something to do with nsswitch.conf? Must it be installed is well?

This is a very basic SLES setup, you only had to go to Yast and select eh Ldap client and tell you want users autentified against ldap, then yast will install the required packages

also, if you hadn't done it, you should add the default ldap configuration for storing user accounts and groups (in the same ldap client module)

the steps from the base installations should be as follows:

1. enter Yast 2. go to network services 3. go to Ldap server 4. add your ldap domain 5. go to ldap client 6. select autentificate users against the ldap server 7. select the options to install the default configuration for autentifications of users and groups

now you will be able to add users to your ldap installation with manage users and groups in yast

and login via ssh in your sles box

HTH

-- Warm regards, Michael Green -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Ralf, Thank you for your clear and detailed explanation! I don't mind at all to send the enhancement request. Which type of ER is most appropriate for that: "Feature Enhancement" or "Problem with Existing Problem" or it doesn't matter? Another q: While trying to add my _first_ user via useradd I stumbled upon the following error: gene2:~ # useradd -D "cn=admin,dc=biocl,dc=weizmann,dc=ac,dc=il" --service ldap lssafran Enter LDAP Password: Cannot find base ou for new users. LDAP information update failed: Operations error I've also noticed, that after having added at _least_ one user via YaST, I can then add any number of users via useradd without problem. Can this error be avoided without using YaST, i.e. by adding the first and all subsequent users via useradd only? And by the way, as in case of groups, users added via YaST and via useradd appear differently in ldapsearch: # User lssafran was added via YaST dn: uid=lssafran,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il cn: Marilyn Safran gidNumber: 6971 givenName: Marilyn homeDirectory: /home/lssafran loginShell: /bin/bash objectClass: top objectClass: posixAccount objectClass: inetOrgPerson sn: Safran uid: lssafran uidNumber: 3208 userPassword:: e2NyeXB0fVpOLm9pcW5ZSEtUbm8= # User michaelg was added via useradd dn: uid=michaelg,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il objectClass: account objectClass: posixAccount objectClass: shadowAccount uid: michaelg cn: michaelg uidNumber: 2406477 gidNumber: 6971 homeDirectory: /home/michaelg loginShell: /bin/bash gecos: Michael Green shadowMin: 0 shadowMax: 99999 shadowLastChange: 13983 userPassword:: e1NTSEF9ajczU0RLVGdRWFF1NGVUVHExZ3JhWEo3Q2IvaFR2dE8= I guess it can be at least partly attributed to the fact that useradd is not exactly LDAP-savvy. For example, it gives no way to provide attribute=value pairs (required by LDAP) which are not part of /etc/passwd line such as givenName and surName (sn). This attributes usually get there as a simple text string under "comment" umbrella of -c flag along with telephone number and God knows what else. Is my guess right or/and I'm missing something? On Mon, Apr 14, 2008 at 3:27 PM, Ralf Haferkamp wrote:

...

Thanks Carlos!

I've followed through and it worked.

Now I've tried to add a couple of groups using both YaST and groupadd and noticed that the groups after being added appear differently in the tree:

# ldapsearch -x -D "cn=admin,dc=biocl,dc=weizmann,dc=ac,dc=il" 'objectclass=*' -W

Added with YaST2; # pietro_blocks, bioinfo, biocl.weizmann.ac.il dn: cn=pietro_blocks,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il cn: pietro_blocks gidNumber: 6972 objectClass: top objectClass: namedObject objectClass: posixGroup

Added with groupadd: # pietro_lab, bioinfo, biocl.weizmann.ac.il dn: cn=pietro_lab,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il objectClass: posixGroup objectClass: groupOfNames cn: pietro_lab gidNumber: 6973 member:

Do you know why the difference and how should I proceed about this? There just a small difference in the way that YaST and "groupadd" handle

On Sonntag, 13. April 2008, Michael Green wrote: posixgroups without any member. Normally you can't create any LDAP Group without members, the objectclass "groupOfNames" doesn't allow that. For that reason "groupadd" is by default adding an empty "member" Attribute to the object, while YaST creates an object of the namedObject Objectclass and recreates that object as "groupOfNames" once the first member is added. That behavior should probably unified in the future, though. Care to submit an enhancement request for that?

...

I need to do a bulk add of both groups and users. Also I need to delegate the user management to someone who probably won't run YaST2. For bulkloading "groupadd" seems to be the appropriate tool. Or create a LDIF file an use ldapadd to poplulate the database.

...

On Thu, Apr 10, 2008 at 10:28 PM, Carlos Lorenzo Matés

wrote:

...

Hi

El Jueves, 10 de Abril de 2008, Michael Green escribió:

...

Hi,

I'm LDAP newbie, finding my way with configuration of the my first LDAP server on SLES10 SP1.

The requirement is that users that access the server via ssh should be authenticated against locally running (i.e. on the same server) LDAP server.

1. Should I install PAM-LDAP rpm package to make such setup work?

2. What is the role of NSS_LDAP package? My understanding it has something to do with nsswitch.conf? Must it be installed is well?

This is a very basic SLES setup, you only had to go to Yast and select eh Ldap client and tell you want users autentified against ldap, then yast will install the required packages

also, if you hadn't done it, you should add the default ldap configuration for storing user accounts and groups (in the same ldap client module)

the steps from the base installations should be as follows:

1. enter Yast 2. go to network services 3. go to Ldap server 4. add your ldap domain 5. go to ldap client 6. select autentificate users against the ldap server 7. select the options to install the default configuration for autentifications of users and groups

now you will be able to add users to your ldap installation with manage users and groups in yast

and login via ssh in your sles box

HTH

-- Warm regards, Michael Green

-- Ralf Haferkamp

SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

-- Warm regards, Michael Green -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On Tue, Apr 15, 2008 at 10:44 AM, Ralf Haferkamp wrote:

On Montag, 14. April 2008, Michael Green wrote:

...

Ralf,

Thank you for your clear and detailed explanation! I don't mind at all to send the enhancement request. Which type of ER is most appropriate for that: "Feature Enhancement" or "Problem with Existing Problem" or it doesn't matter? I am not exactly sure what you are referring to, here. Especially what "Problem with Existing Problem" is. :)

Sorry, I should have mentioned that I am referring to this page http://www.novell.com/enhancement_request/

...

Another q: While trying to add my _first_ user via useradd I stumbled upon the following error:

gene2:~ # useradd -D "cn=admin,dc=biocl,dc=weizmann,dc=ac,dc=il" --service ldap lssafran Enter LDAP Password: Cannot find base ou for new users. LDAP information update failed: Operations error

I've also noticed, that after having added at _least_ one user via YaST, I can then add any number of users via useradd without problem.

Hm, it seems that useradd is unable to find a suitable parent object for the new user. I don't know exactly what useradd does here. Might be worth another feature request (allowing to specify the parent object for a new user).

If so, then it raises another question, how come useradd is able to figure out what parent ou to pick for the next user? Does useradd do it by taking ou of the first user is stumbles upon in DIT or does it pick a random one? What if I have several groups of users under different ou's? I realize that these questions would be better handled by someone who is familiar with the source code of useradd. -- Warm regards, Michael Green -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org