Ralf,
Thank you for your clear and detailed explanation!
I don't mind at all to send the enhancement request. Which type of ER
is most appropriate for that: "Feature Enhancement" or "Problem with
Existing Problem" or it doesn't matter?
Another q: While trying to add my _first_ user via useradd I stumbled
upon the following error:
gene2:~ # useradd -D "cn=admin,dc=biocl,dc=weizmann,dc=ac,dc=il"
--service ldap lssafran
Enter LDAP Password:
Cannot find base ou for new users.
LDAP information update failed: Operations error
I've also noticed, that after having added at _least_ one user via
YaST, I can then add any number of users via useradd without problem.
Can this error be avoided without using YaST, i.e. by adding the first
and all subsequent users via useradd only?
And by the way, as in case of groups, users added via YaST and via
useradd appear differently in ldapsearch:
# User lssafran was added via YaST
dn: uid=lssafran,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il
cn: Marilyn Safran
gidNumber: 6971
givenName: Marilyn
homeDirectory: /home/lssafran
loginShell: /bin/bash
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
sn: Safran
uid: lssafran
uidNumber: 3208
userPassword:: e2NyeXB0fVpOLm9pcW5ZSEtUbm8=
# User michaelg was added via useradd
dn: uid=michaelg,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
uid: michaelg
cn: michaelg
uidNumber: 2406477
gidNumber: 6971
homeDirectory: /home/michaelg
loginShell: /bin/bash
gecos: Michael Green
shadowMin: 0
shadowMax: 99999
shadowLastChange: 13983
userPassword:: e1NTSEF9ajczU0RLVGdRWFF1NGVUVHExZ3JhWEo3Q2IvaFR2dE8=
I guess it can be at least partly attributed to the fact that useradd
is not exactly LDAP-savvy. For example, it gives no way to provide
attribute=value pairs (required by LDAP) which are not part of
/etc/passwd line such as givenName and surName (sn). This attributes
usually get there as a simple text string under "comment" umbrella of
-c flag along with telephone number and God knows what else. Is my
guess right or/and I'm missing something?
On Mon, Apr 14, 2008 at 3:27 PM, Ralf Haferkamp
Thanks Carlos!
I've followed through and it worked.
Now I've tried to add a couple of groups using both YaST and groupadd and noticed that the groups after being added appear differently in the tree:
# ldapsearch -x -D "cn=admin,dc=biocl,dc=weizmann,dc=ac,dc=il" 'objectclass=*' -W
Added with YaST2; # pietro_blocks, bioinfo, biocl.weizmann.ac.il dn: cn=pietro_blocks,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il cn: pietro_blocks gidNumber: 6972 objectClass: top objectClass: namedObject objectClass: posixGroup
Added with groupadd: # pietro_lab, bioinfo, biocl.weizmann.ac.il dn: cn=pietro_lab,ou=bioinfo,dc=biocl,dc=weizmann,dc=ac,dc=il objectClass: posixGroup objectClass: groupOfNames cn: pietro_lab gidNumber: 6973 member:
Do you know why the difference and how should I proceed about this? There just a small difference in the way that YaST and "groupadd" handle
On Sonntag, 13. April 2008, Michael Green wrote: posixgroups without any member. Normally you can't create any LDAP Group without members, the objectclass "groupOfNames" doesn't allow that. For that reason "groupadd" is by default adding an empty "member" Attribute to the object, while YaST creates an object of the namedObject Objectclass and recreates that object as "groupOfNames" once the first member is added. That behavior should probably unified in the future, though. Care to submit an enhancement request for that?
I need to do a bulk add of both groups and users. Also I need to delegate the user management to someone who probably won't run YaST2. For bulkloading "groupadd" seems to be the appropriate tool. Or create a LDIF file an use ldapadd to poplulate the database.
On Thu, Apr 10, 2008 at 10:28 PM, Carlos Lorenzo Matés
wrote: Hi
El Jueves, 10 de Abril de 2008, Michael Green escribió:
Hi,
I'm LDAP newbie, finding my way with configuration of the my first LDAP server on SLES10 SP1.
The requirement is that users that access the server via ssh should be authenticated against locally running (i.e. on the same server) LDAP server.
1. Should I install PAM-LDAP rpm package to make such setup work?
2. What is the role of NSS_LDAP package? My understanding it has something to do with nsswitch.conf? Must it be installed is well?
This is a very basic SLES setup, you only had to go to Yast and select eh Ldap client and tell you want users autentified against ldap, then yast will install the required packages
also, if you hadn't done it, you should add the default ldap configuration for storing user accounts and groups (in the same ldap client module)
the steps from the base installations should be as follows:
1. enter Yast 2. go to network services 3. go to Ldap server 4. add your ldap domain 5. go to ldap client 6. select autentificate users against the ldap server 7. select the options to install the default configuration for autentifications of users and groups
now you will be able to add users to your ldap installation with manage users and groups in yast
and login via ssh in your sles box
HTH
-- Warm regards, Michael Green
-- Ralf Haferkamp
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- Warm regards, Michael Green -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org