Re: [Ldap-users-devel] TODO/wish list

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Wil,

 >>As far as I know webmin has no way of making this. Actually it would 
be a big security hole. I think if you have network logons (LDAP, NIS, 
etc) you should have your home dirs on a NFS server, so the user has its 
dot-files (his personal settings) everywhere he goes.
 >>
 >I'm running an ISP, so I need a home directory created just on the
 >mail/personal web server.  I don't run NFS or any RPC services,
 >because all of my hosts are publicly accessible, and considerably
 >less secure.  I can't see how one Webmin service communicating over
 >SSL to another configured Webmin service should be less secure.
 >I *suppose* I could just run Webmin on the mail server itself,
 >and create entries remotely.
 >
If webmin runs on the mail/personal web server there's no problem. But
as I said, I know no webmin feature to create a remote home dir. Webmin
is a host administraion tool, not yet a network admin tool. But maybe I
am just outdated... :-)  I agree with you that this would not pose a
security risk.

 >>I don't know and I have no experience with Cyrrus. But I agree this 
is a great idea. It would be very nice if you could investigate.
 >>
 >I'll look into it.  Based on looking at the features of some other
 >modules, I *think* there is some inter-module interface.  And I'm
 >pretty certain there's a Cyrus IMAP module.
 >
There's a notification API the standard Users and Groups Module may call
other modules when a user/goup is created, modified or deleted. This way
the samba module can keed the smbpassword in sync. I do not implement
this API yet, and I am investigaring if my module could send the
notifications instead of just receiving them.

 >>I plan to study this. Actually I got a patch to use smbpasswd but have
 >>not aplied it because of lack of time and now I fear there would be 
too many changes.
 >>
 >Yeah, it would be preferable probably to internally do the hashing,
 >since it might be difficult to have smbpasswd running with the
 >correct permissions (since uid=0 isn't necessarily administrative
 >through Samba).
 >
The best thing would be to configure samba to use LDAP instead of its
own files. This is supported since 2.1 I guess.

 >>Yes, this is right. I implement Outlook atributes by trial and error,
 >>with no knowledge of the LDAP schema used. I think the bugs will be
 >>out (and compatibility fixed with openldap 2.x and outlook) when I
 >>use the correct objectclasses and mandatory attributes.
 >>
 >Good.  The OpenLDAP compatibility is my chief concern; where are the
 >incompatibilities?  The Outlook address book stuff isn't interesting
 >to me at this point, since I'm not going to allow customers to look
 >up other customers e-mail addresses.  For businesses I set up,
 >it might be useful, although I encourage people to use Netscape
 >instead for e-mail.
 >
Certain Outlook atributes are refused by Openldap 2.x. I guess this is
simply because they are not on the schema. I added a configure option to
disable them so you can use the module for Unix user administration. It
takes a long time to check each attribute and find its object class
(Microsoft not allways use the RFC standard schemas, as samba 2.2.1 docs
state) and that's why I implemented a workaround. Openldap 1.0.x is not
strict about schemas, that's why it worked before.

 >Did you see the section in the OpenLDAP FAQ-O-Matic about this?
 >http://www.openldap.org/faq/data/cache/295.html
 >
No, thans for the url.

[]s, Fernando Lozano