Re: OT: Help Kyrre with his LDAP authentification headatches :)

[Rudi Chiarito <nutello sweetness com>]

On Fri, Nov 26, 2004 at 04:49:09PM +0100, Kyrre Ness Sjobak wrote:
> Anybody know about a good web(min) based LDAP server interface, which
> could let me create a huge batch of users/w. populated homedirs

Where does the list of user names, their account names and numeric uids
come from?

I need to authenticate users on Unix systems against a Windows NT (soon
to be AD) domain. There is a LDAP directory that exports data about
every user, but unfortunately that data doesn't include the attributes
used by posixAccount.

So I just set up a local LDAP server for POSIX account information. I
use a simple Perl script that, given a list of accounts, looks up the
email address account mail server in the "NT" LDAP directory. From the
object found, I extract the last name, the full real name and the
personID field (which happens to be unique for every user and I can thus
reuse as a uid). From this information, I can create LDIF files with
posixGroup and posixAccount/shadowAccount objects for each user,
generating appropriate values for some fields (homeDirectory is set to
/home/$username) or using default values for the others (the shadow
password fields). OpenLDAP's command line tools will read the LDIF file
to add/modify users.

Clients are simply set up to get the account information from the local
LDAP server and to validate passwords against the NT domain using
pam_smb.

-- 
Rudi