Hi All,
There seems to be a lot of install/design documentation regarding FDS, however I've not been able to find a quick "howto" on setting a FDS up for a small company. For example, say a shop with 25-50 linux machines and 150 or so user accounts.
For example, what all attributes should I be applying to my user objects? Is it necessary to subclass the schema or is there something already that fits my needs out there? Ninty-Five percent of the job of this FDS will be authentication user accounts to linux machines (other 5% could be authenticating web access or something like that).
Thanks,
James T. Richardson, Jr. jrichardson@x-iss.com eXcellence in IS Solutions, Inc. Office: 713-862-9200 x226
NOTICE: This message may contain privileged or otherwise confidential information. If you are not the intended recipient, please immediately advise the sender by reply email and delete the message and any attachments without using, copying or disclosing the contents.
James Richardson wrote:
Hi All,
There seems to be a lot of install/design documentation regarding FDS, however I've not been able to find a quick "howto" on setting a FDS up for a small company. For example, say a shop with 25-50 linux machines and 150 or so user accounts.
For example, what all attributes should I be applying to my user objects? Is it necessary to subclass the schema or is there something already that fits my needs out there? Ninty-Five percent of the job of this FDS will be authentication user accounts to linux machines (other 5% could be authenticating web access or something like that).
Hi, FDS includes the posixAccount, posixGroup, and inetOrgPerson object classes. You don't really need more than this to do simple user authentication for linux and apache, as well as basic personnel info management.
I suggest creating user objects with the following classes:
top person inetOrgPerson account posixAccount
BR, -- mike
On Wed, 2006-08-30 at 22:23 +0300, Mike Jackson wrote:
There seems to be a lot of install/design documentation regarding FDS, however I've not been able to find a quick "howto" on setting a FDS up for a small company. For example, say a shop with 25-50 linux machines and 150 or so user accounts.
Hi, FDS includes the posixAccount, posixGroup, and inetOrgPerson object classes. You don't really need more than this to do simple user authentication for linux and apache, as well as basic personnel info management.
And if you want to also use it as a back end for samba windows domain authentication with the same users/passwords?
On Wed, 2006-08-30 at 17:35 -0500, Les Mikesell wrote:
On Wed, 2006-08-30 at 22:23 +0300, Mike Jackson wrote:
There seems to be a lot of install/design documentation regarding FDS, however I've not been able to find a quick "howto" on setting a FDS up for a small company. For example, say a shop with 25-50 linux machines and 150 or so user accounts.
Hi, FDS includes the posixAccount, posixGroup, and inetOrgPerson object classes. You don't really need more than this to do simple user authentication for linux and apache, as well as basic personnel info management.
And if you want to also use it as a back end for samba windows domain authentication with the same users/passwords?
----- that's a horse of another color
First you would have to import the samba schema appropriate for the version of samba you are using.
Then you would have to realize that the samba schema has objectclasses/attributes that have nothing to do with posixAccount/posixGroup/inetOrgPerson attributes (well, I do use posixGroup but that is with sambaGroupMapping attributes.
Then you would want to use a client that allows a single password entry and encodes it for the userPassword (posixAccount/shadowAccount) attribute and for the sambaNTPassword and optionally the sambaLMPassword. Clients for this purpose are listed here...
http://wiki.samba.org/index.php/Samba_%26_LDAP
or of course, you can write your own code to accomplish this
Craig
On Wed, 30 Aug 2006, Craig White wrote:
On Wed, 2006-08-30 at 17:35 -0500, Les Mikesell wrote:
On Wed, 2006-08-30 at 22:23 +0300, Mike Jackson wrote:
There seems to be a lot of install/design documentation regarding FDS, however I've not been able to find a quick "howto" on setting a FDS up for a small company. For example, say a shop with 25-50 linux machines and 150 or so user accounts.
Hi, FDS includes the posixAccount, posixGroup, and inetOrgPerson object classes. You don't really need more than this to do simple user authentication for linux and apache, as well as basic personnel info management.
And if you want to also use it as a back end for samba windows domain authentication with the same users/passwords?
that's a horse of another color
First you would have to import the samba schema appropriate for the version of samba you are using.
Then you would have to realize that the samba schema has objectclasses/attributes that have nothing to do with posixAccount/posixGroup/inetOrgPerson attributes (well, I do use posixGroup but that is with sambaGroupMapping attributes.
Then you would want to use a client that allows a single password entry and encodes it for the userPassword (posixAccount/shadowAccount) attribute and for the sambaNTPassword and optionally the sambaLMPassword. Clients for this purpose are listed here...
http://wiki.samba.org/index.php/Samba_%26_LDAP
or of course, you can write your own code to accomplish this
Is it really all that different from using an ldap backend as described in the Samba HowTo??
Is there any reason the idealx scripts and the standard samba schema will not work?
Just want to be sure I am not missing something, migrating to FDS is on my list of things to do.
On Wed, 2006-08-30 at 22:22 -0400, Tom Diehl wrote:
On Wed, 30 Aug 2006, Craig White wrote:
On Wed, 2006-08-30 at 17:35 -0500, Les Mikesell wrote:
On Wed, 2006-08-30 at 22:23 +0300, Mike Jackson wrote:
There seems to be a lot of install/design documentation regarding FDS, however I've not been able to find a quick "howto" on setting a FDS up for a small company. For example, say a shop with 25-50 linux machines and 150 or so user accounts.
Hi, FDS includes the posixAccount, posixGroup, and inetOrgPerson object classes. You don't really need more than this to do simple user authentication for linux and apache, as well as basic personnel info management.
And if you want to also use it as a back end for samba windows domain authentication with the same users/passwords?
that's a horse of another color
First you would have to import the samba schema appropriate for the version of samba you are using.
Then you would have to realize that the samba schema has objectclasses/attributes that have nothing to do with posixAccount/posixGroup/inetOrgPerson attributes (well, I do use posixGroup but that is with sambaGroupMapping attributes.
Then you would want to use a client that allows a single password entry and encodes it for the userPassword (posixAccount/shadowAccount) attribute and for the sambaNTPassword and optionally the sambaLMPassword. Clients for this purpose are listed here...
http://wiki.samba.org/index.php/Samba_%26_LDAP
or of course, you can write your own code to accomplish this
Is it really all that different from using an ldap backend as described in the Samba HowTo??
---- nope - very little difference between integration on OpenLDAP or FDS - make sure that you visit the samba wiki page on FDS wiki as it tells you how to import openldap schemas and such. ----
Is there any reason the idealx scripts and the standard samba schema will not work?
---- Idealx scripts work fine (I barely use them though).
There is no such thing as a standard samba schema - it has been getting continually tweaked at various stages in samba releases. Use the schema appropriate for your samba release which I presume seeing your entries on nahant/taroon lists will be supplied with your samba installation...which would be 3.0.9.xx (taroon) 3.0.10.xx (nahant) unless you replace it with kde-redhat samba like I do...
# rpm -q --whatprovides /usr/share/doc/samba-3.0.23b/LDAP/samba.schema samba-3.0.23b-0.1.el4.kde
each release is slightly different - there is no 'standard samba schema' -----
Just want to be sure I am not missing something, migrating to FDS is on my list of things to do.
---- go for it - keep openldap installed - do your migration - turn off openldap and then start fds - should be a direct replacement when you get it going.
just a little stupid thing that may be of help to you is a little shell script that I wrote to take the slapcat output from openldap and delete the attributes that will poison it so you can't import it into FDS...
# cat ol2fds-filter.sh #!/bin/sh # # input=dump.ldif output=import-me.ldif filt1=creatorsName filt2=createTimestamp filt3=modifiersName filt4=modifyTimestamp filt5=structuralObjectClass filt6=entryUUID filt7=entryCSN
/bin/grep -v $filt1 $input | \ /bin/grep -v $filt2 | \ /bin/grep -v $filt3 | \ /bin/grep -v $filt4 | \ /bin/grep -v $filt5 | \ /bin/grep -v $filt6 | \ /bin/grep -v $filt7 > $output
Craig
On Wed, 30 Aug 2006, Craig White wrote:
On Wed, 2006-08-30 at 22:22 -0400, Tom Diehl wrote:
On Wed, 30 Aug 2006, Craig White wrote:
On Wed, 2006-08-30 at 17:35 -0500, Les Mikesell wrote:
On Wed, 2006-08-30 at 22:23 +0300, Mike Jackson wrote:
There seems to be a lot of install/design documentation regarding FDS, however I've not been able to find a quick "howto" on setting a FDS up for a small company. For example, say a shop with 25-50 linux machines and 150 or so user accounts.
Hi, FDS includes the posixAccount, posixGroup, and inetOrgPerson object classes. You don't really need more than this to do simple user authentication for linux and apache, as well as basic personnel info management.
And if you want to also use it as a back end for samba windows domain authentication with the same users/passwords?
that's a horse of another color
First you would have to import the samba schema appropriate for the version of samba you are using.
Then you would have to realize that the samba schema has objectclasses/attributes that have nothing to do with posixAccount/posixGroup/inetOrgPerson attributes (well, I do use posixGroup but that is with sambaGroupMapping attributes.
Then you would want to use a client that allows a single password entry and encodes it for the userPassword (posixAccount/shadowAccount) attribute and for the sambaNTPassword and optionally the sambaLMPassword. Clients for this purpose are listed here...
http://wiki.samba.org/index.php/Samba_%26_LDAP
or of course, you can write your own code to accomplish this
Is it really all that different from using an ldap backend as described in the Samba HowTo??
nope - very little difference between integration on OpenLDAP or FDS - make sure that you visit the samba wiki page on FDS wiki as it tells you how to import openldap schemas and such.
Is there any reason the idealx scripts and the standard samba schema will not work?
Idealx scripts work fine (I barely use them though).
There is no such thing as a standard samba schema - it has been getting continually tweaked at various stages in samba releases. Use the schema appropriate for your samba release which I presume seeing your entries on nahant/taroon lists will be supplied with your samba installation...which would be 3.0.9.xx (taroon) 3.0.10.xx (nahant) unless you replace it with kde-redhat samba like I do...
Indeed, I mis-spoke. I am aware of the issue. I normally upgrade the EL machines to whatever the latest version of samba is. There are simply too many features missing from the versions supplied with RHEL. Hopefully EL5 will have something near current. I was not aware of the kde-redhat samba. I will have to look at it.
# rpm -q --whatprovides /usr/share/doc/samba-3.0.23b/LDAP/samba.schema samba-3.0.23b-0.1.el4.kde
each release is slightly different - there is no 'standard samba schema'
Just want to be sure I am not missing something, migrating to FDS is on my list of things to do.
go for it - keep openldap installed - do your migration - turn off openldap and then start fds - should be a direct replacement when you get it going.
just a little stupid thing that may be of help to you is a little shell script that I wrote to take the slapcat output from openldap and delete the attributes that will poison it so you can't import it into FDS...
# cat ol2fds-filter.sh #!/bin/sh # # input=dump.ldif output=import-me.ldif filt1=creatorsName filt2=createTimestamp filt3=modifiersName filt4=modifyTimestamp filt5=structuralObjectClass filt6=entryUUID filt7=entryCSN
/bin/grep -v $filt1 $input | \ /bin/grep -v $filt2 | \ /bin/grep -v $filt3 | \ /bin/grep -v $filt4 | \ /bin/grep -v $filt5 | \ /bin/grep -v $filt6 | \ /bin/grep -v $filt7 > $output
OK, so we strip out the above attributes at import time but does FDS then recreate them? My memory is telling me they are part of the required attributes in the schema but I could be wrong.
Thanks for the help.
Regards,
On Wed, 2006-08-30 at 23:16 -0400, Tom Diehl wrote:
On Wed, 30 Aug 2006, Craig White wrote:
just a little stupid thing that may be of help to you is a little shell script that I wrote to take the slapcat output from openldap and delete the attributes that will poison it so you can't import it into FDS...
# cat ol2fds-filter.sh #!/bin/sh # # input=dump.ldif output=import-me.ldif filt1=creatorsName filt2=createTimestamp filt3=modifiersName filt4=modifyTimestamp filt5=structuralObjectClass filt6=entryUUID filt7=entryCSN
/bin/grep -v $filt1 $input | \ /bin/grep -v $filt2 | \ /bin/grep -v $filt3 | \ /bin/grep -v $filt4 | \ /bin/grep -v $filt5 | \ /bin/grep -v $filt6 | \ /bin/grep -v $filt7 > $output
OK, so we strip out the above attributes at import time but does FDS then recreate them? My memory is telling me they are part of the required attributes in the schema but I could be wrong.
---- Both OpenLDAP and FDS will add the operational attributes necessary and I should point out that you can sort of get around this by not using slapcat but rather an ldapsearch captured into an ldif file which you can then import (which won't include the operational attributes listed above).
Craig
Hi James, The packaged directory console includes a section for Unix (and WinNT) attributes for users that will apply everything you need in terms of object classes. Between that and the PAM howto (and possibly the SSL howto) on the FDS website, you should have everything you need to get this going. Cheers, -Jason
James Richardson wrote:
Hi All,
There seems to be a lot of install/design documentation regarding FDS, however I've not been able to find a quick "howto" on setting a FDS up for a small company. For example, say a shop with 25-50 linux machines and 150 or so user accounts.
For example, what all attributes should I be applying to my user objects? Is it necessary to subclass the schema or is there something already that fits my needs out there? Ninty-Five percent of the job of this FDS will be authentication user accounts to linux machines (other 5% could be authenticating web access or something like that).
Thanks,
James T. Richardson, Jr. jrichardson@x-iss.com eXcellence in IS Solutions, Inc. Office: 713-862-9200 x226
NOTICE: This message may contain privileged or otherwise confidential information. If you are not the intended recipient, please immediately advise the sender by reply email and delete the message and any attachments without using, copying or disclosing the contents.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Hello everybody, I am running 2 fedora-ds servers that were using multi master sync for my userroot. now on 1 of my servers, the userroot database is gone, I tried to do a database restore but that failed. userroot is missing in the admin console under "configuration - data - dc=my,dc=domain" where on the good server, userroot exists under that tree. If I go under the Directory tab, all I see is the servername and nothing under it. Has anyone run into this issue, I'm going to reinstall that server and re-sync the database, but I'm wondering if anyone has any ideas that might be a little easier to restore.
Brian
389-users@lists.fedoraproject.org
-
Brian Smith -
Craig White -
James Richardson -
Jason Russler -
Les Mikesell -
Mike Jackson -
Tom Diehl