ldap-users-devel Mailing List for LDAP Users Admin
Status: Alpha
Brought to you by:
fsl
You can subscribe to this list here.
2001 |
Jan
|
Feb
|
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(9) |
Dec
(3) |
---|
From: Fernando L. <fer...@lo...> - 2001-12-07 00:08:14
|
Hi Wil, >Right. And I'm trying to think broader than that--perhaps on the >scale of something like NDS; basically, anything that can use >LDAP for configuration I'd like to try to manage. And perhaps >managing different back-ends makes that out of the question; >I'm going to code for LDAP and try to clearly separate out and >LDAP-specific interface from a more generic interface, and make >the CGIs themselves use only the generic interfaces. (Actually, >you've pretty much done that already.) > A user admin module that can use LDAP, Mysql or other back end for posix user profiles sounds great. You have a lot of common code and interface, and change just the back-end. Cool. But I think anything above that will have the scale of another entirely new webmin. You can create a generic ldap browser and, using schema info from ldap v3, create pretty nice edit forms. The things these generic browsers cannot do made me create the ldap users admin -- the generic tools do not know Unix cannot handle duplicate uid and uidnumber atributes. It would not create the home dir for new users. And so on. You'll end up with a tool that would need specific plug-ins that know the semantic of each object class you try to edit -- another webmin. Or, if you like it, another NWadmin, or another linuxconf, another Microsoft MMC, and the like. Most Unix tools do not use LDAP yet, so your tool would not be as nice as webmin itself. I think today some more LDAP-aware modules for webmin, like mine, would be nice. Besides, I cannot see the value of another generic LDAP API on top of an API such as Perlldap. When we can have everything stored on LDAP, a lot of webmin modules that can handle this would be as good as NWadmin. []s, Fernando Lozano |
From: Wil C. <wc...@na...> - 2001-12-06 05:55:38
|
Also Sprach Fernando Lozano: > I never though this way, but if you can come with a nice design I guess= =20 > you should talk to Jamie Cameron about getting your design into the=20 > standard Users and Groups module. >=20 > When I created my module the focus was not on just managing Posix users= =20 > on another name service -- it was about unifying Posix user management=20 > with e-mail address book management. So I though about preserving Posix= =20 > semantics while supporting atributes that are unknown to Posix. Right. And I'm trying to think broader than that--perhaps on the scale of something like NDS; basically, anything that can use LDAP for configuration I'd like to try to manage. And perhaps managing different back-ends makes that out of the question; I'm going to code for LDAP and try to clearly separate out and LDAP-specific interface from a more generic interface, and make the CGIs themselves use only the generic interfaces. (Actually, you've pretty much done that already.) > Think about how your design will accomodate the differences. For=20 > example, I cannot tell LDAP "there can be no two records with the same=20 > value for the uidnumber atribute" but I can tell this to MySQL. So the=20 > first has to be programmed on the webmin module but the second does not.= =20 > Think also about how you'll display and edit non-Posix information. For= =20 > example, I think an nss_mysql module should be integrated with managing= =20 > mysql grant tables. >=20 > My plans for the future (not near future) include design something that= =20 > allows easy plugability of new object classes (for example, samba ldap=20 > attributes, or raduis atributes) >=20 > As far as I know, the NSS interface provides no way for changing=20 > information -- just querying. Is that true? Right. I'm thinking about communicating directly with the backend modules that feed NSS--LDAP, db files, MySQL, etc., not through NSS directly. Wil --=20 W. Reilly Cooley wc...@na... Naked Ape Consulting http://nakedape.cc irc.linux.com #orlug,#pdxlug,#lnxs "There was a vague, unpleasant manginess about his appearence; he somehow seemed dirty, though a close glance showed him as carefully shaven as an actor, and clad in immaculate linen." -- H.L. Mencken, on the death of William Jennings Bryan |
From: Fernando L. <fer...@lo...> - 2001-12-05 22:12:07
|
Hi Wil, >I've been thinking about the ldap-users module, and I think it needs >to go in a slightly more general direction. I've started working >with Webmin put together this little not-entirely-functional demo. >It basically rips out Fernando's work and moves it into a more >general framework. One thing I wanted to was to be able to manage a >number of different system databases from Webmin, like users, groups, >hosts, etc., but also construct the interfaces in a general enough >manner that it could apply to other database/directory types, such >as the nss_mysql, nss_db, etc. So here's what I've put together >so far. I'm going to continue working on it, moving it in this >direction and implementing the features I want. > I never though this way, but if you can come with a nice design I guess you should talk to Jamie Cameron about getting your design into the standard Users and Groups module. When I created my module the focus was not on just managing Posix users on another name service -- it was about unifying Posix user management with e-mail address book management. So I though about preserving Posix semantics while supporting atributes that are unknown to Posix. Think about how your design will accomodate the differences. For example, I cannot tell LDAP "there can be no two records with the same value for the uidnumber atribute" but I can tell this to MySQL. So the first has to be programmed on the webmin module but the second does not. Think also about how you'll display and edit non-Posix information. For example, I think an nss_mysql module should be integrated with managing mysql grant tables. My plans for the future (not near future) include design something that allows easy plugability of new object classes (for example, samba ldap attributes, or raduis atributes) As far as I know, the NSS interface provides no way for changing information -- just querying. Is that true? []s, Fernando Lozano |
From: Wil C. <wc...@na...> - 2001-11-23 23:44:39
|
Also Sprach Fernando Lozano: > If webmin runs on the mail/personal web server there's no problem. But > as I said, I know no webmin feature to create a remote home dir. Webmin > is a host administraion tool, not yet a network admin tool. But maybe I > am just outdated... :-) I agree with you that this would not pose a > security risk. Hm, I haven't looked deeply into the capabilities of Webmin; only inferred from the "Webmin Servers Index" that it could communicate with other Webmin servers. Today is a holiday in the US, and I'll probably be in trouble with my girlfriend if I spend much more time on my computer ;) but when I get the chance I'll look into the API. Perhaps all it does is allow you to switch easily to other servers. > There's a notification API the standard Users and Groups Module may call > other modules when a user/goup is created, modified or deleted. This way > the samba module can keed the smbpassword in sync. I do not implement > this API yet, and I am investigaring if my module could send the > notifications instead of just receiving them. That would be cool. > The best thing would be to configure samba to use LDAP instead of its > own files. This is supported since 2.1 I guess. Yeah, according to my friend who sponsored the re-write of the Samba code for this, the support in 2.2.2 is *considerably* better than in previous versions. I'll d/l the source when I get time and take a look at the schema. > Certain Outlook atributes are refused by Openldap 2.x. I guess this is > simply because they are not on the schema. I added a configure option to > disable them so you can use the module for Unix user administration. It > takes a long time to check each attribute and find its object class > (Microsoft not allways use the RFC standard schemas, as samba 2.2.1 > docs state) and that's why I implemented a workaround. Openldap 1.0.x > is not strict about schemas, that's why it worked before. Ah, I see. I'm sure it's just a matter of finding the right schemas to install, in that case. Wil -- W. Reilly Cooley wc...@na... Naked Ape Consulting http://nakedape.cc irc.linux.com #orlug,#pdxlug,#lnxs The penalty for laughing in a courtroom is six months in jail; if it were not for this penalty, the jury would never hear the evidence. -- H. L. Mencken |
From: Wil C. <wc...@na...> - 2001-11-23 23:44:26
|
Also Sprach Fernando Lozano: > If webmin runs on the mail/personal web server there's no problem. But > as I said, I know no webmin feature to create a remote home dir. Webmin > is a host administraion tool, not yet a network admin tool. But maybe > I am just outdated... :-) I agree with you that this would not pose > a security risk. Okay, I found it in the API docs, there are a few functions, I'll just list a few: remote_foreign_call(server, module, function, [arg]*) (Versions 0.82 and above) Calls a function in some module on another server and returns the results. You must already have called remote_foreign_require for the same server and module before trying to use this function. The function parameter is the name of a function to call in the remote module, and the parameters after function are arguments that will be passed to it. For example : &remote_foreign_require("www.blah.com", "apache", "apache-lib.pl"); @servers = &remote_foreign_call("www.blah.com", "apache", "get_config"); As the example shows, the remote_foreign_call function returns whatever is returned by the function on the remote server. Wil -- W. Reilly Cooley wc...@na... Naked Ape Consulting http://nakedape.cc irc.linux.com #orlug,#pdxlug,#lnxs The penalty for laughing in a courtroom is six months in jail; if it were not for this penalty, the jury would never hear the evidence. -- H. L. Mencken |
From: Wil C. <wc...@na...> - 2001-11-23 23:44:05
|
Fernando & I conversed privately about this; I'll forward my responses so they're on the list. Wil -- W. Reilly Cooley wc...@na... Naked Ape Consulting http://nakedape.cc irc.linux.com #orlug,#pdxlug,#lnxs The public demands certainties; it must be told definitely and a bit raucously that this is true and that is false. But there are no certainties. -- H.L. Mencken, "Prejudice" |
From: Fernando L. <fer...@lo...> - 2001-11-23 16:42:12
|
Hi Wil, >Looking over the feature set and TODO list on the web site, I see a >few things that would be really nice to have. I've d/l'd an older >version and will be getting the CVS shortly, but while I've been >meaning to do some LDAP programming, I haven't (and I haven't done >Perl in quite some time...). > The current 0.0.2pre is the same one as in CVS. I have new code at another location, but the internet link is down and I could not commit. Today my priority is solving bugs on OpenLDAP 2.x and include group and shadow support. >Here are some things I'd like to see (some of which aren't important >for me immediately, but could help make this really killer): > > o Remote creation of home directories. I haven't delved into > the Webmin API yet, but doesn't it have an internal protocol for > communicating with other webmin servers? I see that it creates > home directories (missed this earlier), but can it do it remotely? > As far as I know webmin has no way of making this. Actually it would be a big security hole. I think if you have network logons (LDAP, NIS, etc) you should have your home dirs on a NFS server, so the user has its dot-files (his personal settings) everywhere he goes. >o Setting of 'host' attribute, based (perhaps) on a pre-configured > list hosts. pam_ldap can use this to limit logins only to > specified hosts. > Nice idea. I didn't know pam_ldap uses this. What's the object class of this attribute? >o A "user" version, with administrator-configurable paramters that > can be changed. For example, as an ISP I might want users to only > be able to change their passwords and possibly mail forwarding > (and perhaps hook into a vacation program); as a corporate admin, > I might want to allow users to change full names, office locations, > etc. from GECOS, and shell. Initially just a password-change > module would be adequate. > I guess webmin support this kind of user delegation of administrative rights (this is the to-do list webmim acls), but openldap permissions would to this also, but it would be outside the scope of my module, this would be a feature of the openldap module. >o Automatic creation of Cyrus IMAP mailboxes. Is it possible > to simply call the existing Cyrus IMAP Webmin module to do the > creation? > I don't know and I have no experience with Cyrrus. But I agree this is a great idea. It would be very nice if you could investigate. >o Ability to also set passwords for Samba (2.2.2 has excellent > LDAP-user support, according to a friend of mine who re-wrote it). > I plan to study this. Actually I got a patch to use smbpasswd but have not aplied it because of lack of time and now I fear there would be too many changes. >o Passwords for SASL auth, based (perhaps) on the Cyrus-SASL LDAP > patch at http://cyrus-utils.sourceforge.net/. > I have to study SASL to do this. I am a complete newbie to LDAP. I created the module to solve a very specific customer problem. :-) >o Ability to set per-user RADIUS attributes for FreeRADIUS > (http://www.freeradius.org) > Nice idea. >Looking at the web site, it appears that 0.0.2pre isn't 100% >compatible with OpenLDAP 2.0, but it *seems* like only Outlook >attributes are missing? Is this correct? > Yes, this is right. I implement Outlook atributes by trial and error, with no knowledge of the LDAP schema used. I think the bugs will be out (and compatibility fixed with openldap 2.x and outlook) when I use the correct objectclasses and mandatory attributes. []s, Fernando Lozano |
From: Fernando L. <fer...@lo...> - 2001-11-23 16:42:00
|
Hi Wil, >>As far as I know webmin has no way of making this. Actually it would be a big security hole. I think if you have network logons (LDAP, NIS, etc) you should have your home dirs on a NFS server, so the user has its dot-files (his personal settings) everywhere he goes. >> >I'm running an ISP, so I need a home directory created just on the >mail/personal web server. I don't run NFS or any RPC services, >because all of my hosts are publicly accessible, and considerably >less secure. I can't see how one Webmin service communicating over >SSL to another configured Webmin service should be less secure. >I *suppose* I could just run Webmin on the mail server itself, >and create entries remotely. > If webmin runs on the mail/personal web server there's no problem. But as I said, I know no webmin feature to create a remote home dir. Webmin is a host administraion tool, not yet a network admin tool. But maybe I am just outdated... :-) I agree with you that this would not pose a security risk. >>I don't know and I have no experience with Cyrrus. But I agree this is a great idea. It would be very nice if you could investigate. >> >I'll look into it. Based on looking at the features of some other >modules, I *think* there is some inter-module interface. And I'm >pretty certain there's a Cyrus IMAP module. > There's a notification API the standard Users and Groups Module may call other modules when a user/goup is created, modified or deleted. This way the samba module can keed the smbpassword in sync. I do not implement this API yet, and I am investigaring if my module could send the notifications instead of just receiving them. >>I plan to study this. Actually I got a patch to use smbpasswd but have >>not aplied it because of lack of time and now I fear there would be too many changes. >> >Yeah, it would be preferable probably to internally do the hashing, >since it might be difficult to have smbpasswd running with the >correct permissions (since uid=0 isn't necessarily administrative >through Samba). > The best thing would be to configure samba to use LDAP instead of its own files. This is supported since 2.1 I guess. >>Yes, this is right. I implement Outlook atributes by trial and error, >>with no knowledge of the LDAP schema used. I think the bugs will be >>out (and compatibility fixed with openldap 2.x and outlook) when I >>use the correct objectclasses and mandatory attributes. >> >Good. The OpenLDAP compatibility is my chief concern; where are the >incompatibilities? The Outlook address book stuff isn't interesting >to me at this point, since I'm not going to allow customers to look >up other customers e-mail addresses. For businesses I set up, >it might be useful, although I encourage people to use Netscape >instead for e-mail. > Certain Outlook atributes are refused by Openldap 2.x. I guess this is simply because they are not on the schema. I added a configure option to disable them so you can use the module for Unix user administration. It takes a long time to check each attribute and find its object class (Microsoft not allways use the RFC standard schemas, as samba 2.2.1 docs state) and that's why I implemented a workaround. Openldap 1.0.x is not strict about schemas, that's why it worked before. >Did you see the section in the OpenLDAP FAQ-O-Matic about this? >http://www.openldap.org/faq/data/cache/295.html > No, thans for the url. []s, Fernando Lozano |
From: Fernando L. <fer...@lo...> - 2001-11-23 16:41:41
|
Hi Wil, >Okay, I found it in the API docs, there are a few functions, I'll just >list a few: > That´s nice. These funcions where not the the API docs I had printed (for 0.78 I guess). So I can ad a configure option to specify the home dir server. I can even think on a function that automatically configure a workstation to use pam_ldap and nss_ldap. :-) []s, Fernando Lozano |
From: Fernando L. <fer...@lo...> - 2001-11-23 16:41:30
|
Hi Tarjei, > o A "user" version, with administrator-configurable paramters that > can be changed. For example, as an ISP I might want users to only > be able to change their passwords and possibly mail forwarding > (and perhaps hook into a vacation program); as a corporate admin, > I might want to allow users to change full names, office locations, > etc. from GECOS, and shell. Initially just a password-change > module would be adequate. The ldap-users-utils has a CGI app that allows the user to change his LDAP password -- they are just some module and webmin funcions packages separately so you don't need webmin itself.. This could easily be expanded to change other fields. With a little work I could not even need the duplicate code on the two packages. > o Ability to also set passwords for Samba (2.2.2 has excellent > LDAP-user support, according to a friend of mine who re-wrote it). > Yes! I'm using tng-ldap, the schemas are quite simmilar, so it should > be fairly easy to let both.I've looked at doing something in php, but > a webmin module might do the job :) I'll try samba with ldap, but patches are welcome. :-) []s, Fernando Lozano |
From: Tarjei <ta...@nu...> - 2001-11-23 15:28:38
|
Hi, I thought I'w provide some input on these: o Remote creation of home directories. I haven't delved into the Webmin API yet, but doesn't it have an internal protocol for communicating with other webmin servers? I see that it creates home directories (missed this earlier), but can it do it remotely? There's a way by using a certain pam module. o A "user" version, with administrator-configurable paramters that can be changed. For example, as an ISP I might want users to only be able to change their passwords and possibly mail forwarding (and perhaps hook into a vacation program); as a corporate admin, I might want to allow users to change full names, office locations, etc. from GECOS, and shell. Initially just a password-change module would be adequate. I agree! o Ability to also set passwords for Samba (2.2.2 has excellent LDAP-user support, according to a friend of mine who re-wrote it). Yes! I'm using tng-ldap, the schemas are quite simmilar, so it should be fairly easy to let both.I've looked at doing something in php, but a webmin module might do the job :) o Passwords for SASL auth, based (perhaps) on the Cyrus-SASL LDAP patch at http://cyrus-utils.sourceforge.net/. ? The ldap patch makes SASL go into the userPassword attribute to check the crypted password. Using sasl, openldap will go through sasl (or kerberos) to read the password stored there. Anyhow, I think there's a ldap method for adding sasl/kerberos passwds. I do not know if it is implemented in perl though. just my 0.2 cents Tarjei o Ability to set per-user RADIUS attributes for FreeRADIUS (http://www.freeradius.org) o Possibly other password schemes... Of these, only the first 2 are important to me right now. The next 2 would be *nice*. Looking at the web site, it appears that 0.0.2pre isn't 100% compatible with OpenLDAP 2.0, but it *seems* like only Outlook attributes are missing? Is this correct? |
From: Wil C. <wc...@na...> - 2001-11-21 00:56:12
|
Looking over the feature set and TODO list on the web site, I see a few things that would be really nice to have. I've d/l'd an older version and will be getting the CVS shortly, but while I've been meaning to do some LDAP programming, I haven't (and I haven't done Perl in quite some time...). Here are some things I'd like to see (some of which aren't important for me immediately, but could help make this really killer): o Remote creation of home directories. I haven't delved into the Webmin API yet, but doesn't it have an internal protocol for communicating with other webmin servers? I see that it creates home directories (missed this earlier), but can it do it remotely? o Setting of 'host' attribute, based (perhaps) on a pre-configured list hosts. pam_ldap can use this to limit logins only to specified hosts. o A "user" version, with administrator-configurable paramters that can be changed. For example, as an ISP I might want users to only be able to change their passwords and possibly mail forwarding (and perhaps hook into a vacation program); as a corporate admin, I might want to allow users to change full names, office locations, etc. from GECOS, and shell. Initially just a password-change module would be adequate. o Automatic creation of Cyrus IMAP mailboxes. Is it possible to simply call the existing Cyrus IMAP Webmin module to do the creation? o Ability to also set passwords for Samba (2.2.2 has excellent LDAP-user support, according to a friend of mine who re-wrote it). o Passwords for SASL auth, based (perhaps) on the Cyrus-SASL LDAP patch at http://cyrus-utils.sourceforge.net/. o Ability to set per-user RADIUS attributes for FreeRADIUS (http://www.freeradius.org) o Possibly other password schemes... Of these, only the first 2 are important to me right now. The next 2 would be *nice*. Looking at the web site, it appears that 0.0.2pre isn't 100% compatible with OpenLDAP 2.0, but it *seems* like only Outlook attributes are missing? Is this correct? Wil --=20 W. Reilly Cooley wc...@na... Naked Ape Consulting http://nakedape.cc irc.linux.com #orlug,#pdxlug,#lnxs A prohibitionist is the sort of man one wouldn't care to drink with -- even if he drank. -- H.L. Mencken |
From: Fernando L. <fs...@ce...> - 2001-03-31 17:34:34
|
Hi again Sebastien and list! I am not sure what to do regarding your proposal (and patch) to use netldap. I took a look, perldap seems much easier to use than netldap. But sure having a pure-perl module is better. I am woried because perldap lets me just change an entry objject and it will transparently generate the ldap add, modify or delete entry requests as needed. It looks to me that netldap won't do this, making my module much more complicated. I was thinking about starting a new branch on CVS so anyone interested can explore netldap. We could have two versions in paralel and let users decide which is best or not needed. []s, Fernando Lozano |
From: Fernando L. <fs...@ce...> - 2001-03-31 17:34:34
|
Hi Sebastien! I remember you sent me a french language file for LDAP Users Admin, but I cannot find them on my mail folders and development backups. If I am not confusing thnings, could you pelase send me your translation again and update it to the new release availabe on CVS (whose objective is just to integrate all translations I got)? If you prefer I may send you a tar file with the current CVS release. []s, Fernando Lozano |