Making LDAP easier to use

Bernardo Innocenti bernie at develer.com
Thu May 25 06:10:16 UTC 2006


Rahul Sundaram wrote:

>> As an administrator, I'm particularly embarassed to show my
>> customers the tools I use to run their UNIX accounts and
>> Samba domain controller.
> 
> You might get involved and help write such tools. That would replace
> embarrassment with pride. 

Unfortunately, it's not like you can write a couple of
new applications and you're done.  It would take some
commitment by a distribution such as Fedora to bring the
small bits together.

Most tools are there already, but not designed or tested
to work well together.  And it's because very few people
go through the pain of setting up an LDAP-based LAN.

For example, Samba uses its own user database by default and
it takes lots of perl glue (the smbldap-tools) to get it to
fetch domain users from LDAP.  You also need to add custom
schemas and fiddle with obscure configuration parameters
until it works.  Maybe Samba4 will improve the situation.

Creating users in LDAP is hard.  The usual tools such as
useradd and system-config-users should be teached how to do it.
I still couldn't figure out how to change the posixAccount
password in LDAP without using smbpasswd.

Viewing and editing the LDAP database is hard.  The best tool
I've found is ldapvi, which is very low level and isn't even
in Extras.  There are lots of Java GUI tools which I'd avoid
if I could and a few web-based ones with the usual slow user
interface.  The best one seems to be phpLdapAdmin.  It's in
Extras, but you have to fiddle a lot with the configuration
before you can authenticate into your LDAP server.

On the client side, system-config-authentication already
does 90% of the work, but fails to do (or suggest) the
steps required to get TLS to work.  Without TLS, your
passwords wil fly over the wire in clear.

-- 
  // Bernardo Innocenti - Develer S.r.l., R&D dept.
\X/  http://www.develer.com/




More information about the fedora-devel-list mailing list