[svlug] Favorite LDAP user admin tool

[Mike Castle]

On Tue, Sep 20, 2005 at 10:47:25AM -0700, Don Marti wrote:
> begin Mike Castle quotation of Tue, Sep 20, 2005 at 09:52:08AM -0700:

> http://www.linuxjournal.com/article/8119
> http://www.linuxjournal.com/article/7382

Great.  A quick glance looks like these will be pretty useful for
understanding why these things work the way they do.

> 
> > Also, if anyone has a pointer on this:  The Samba config files say that
> > some LDAP configurations will allow a user to change a password in one
> > domain (say, posix accounts using passwd), and that would propogate the
> > change to other domains (say, the samba password stuff).  What's the magic
> > that causes this to happen (if it does) with OpenLDAP?  I've glanced
> > through the code and the schema files, but I haven't noticed anything
> > obvious that says "tie these things together."
> 
> Craig and Matt's article has an smb.conf example for
> this (Listing 5).

Right.  I got that part.  I guess a better way to ask this might be:  What
magic is necessary on the ldap side that enables the following to work:

  ldap passwd sync = only

It looks like most systems use [yes] rather than [only].  So I may just go
with that.  But it seems to me that both Samba and OpenLDAP support the
necessary magic to make this work.  Just missing a tad bit of glue.

What I'm hoping is if someone changes their password on the Unix side with
the passwd command, that OpenLDAP/NSS/whatever, could be configured to
update all of LDAP/NT/LM passwords.

Otherwise, someone changes LDAP and it gets out of sync with NT. Then what?

> If you're going to be maintaining LDAP and Samba
> regularly, you should pick up a copy of "Samba-3 by
> Example: Practical Exercises to Successful Deployment,
> 2nd Edition" too.
> 
> http://www.phptr.com/bookstore/product.asp?isbn=013188221X&rl=1

Any recommendations for LDAP in general, perhaps OpenLDAP specifically?

Thanks,
mrc