webadmin-list

[webmin-l] LDAP Users and Groups

[Craig W. <cra...@az...>]

Don't know who wrote the module - but it is fairly cool and seems to
work. I would love to have it handle more object classes - especially
those for Authentication such as those that are found in the nis.schema
which I would presume are the typical fields in Users and Groups.

I would suppose that if/when I ever get kerberos and samba all playing
nice with ldap, I could probably use the User Manager for Domains from
Win2000 or NT that almost seems sacrosanct.

The program Directory Administrator was a pia to install on Red Hat AS
but is pretty cool - that would kick butt as a webmin module.

Craig

[webmin-l] LDAP Users and Groups

[Craig W. <cra...@az...>]

starting to get up to speed - it's been painful

feature requests - if you ever start playing with this module again...

1 - Since you use a number of setting from the useradmin - how about
using these settings...

Sort users and groups by Order
Display users and groups by

2 - Consider adding givenName/surname/ instead of just cn (obviously
your flexibility allows me to put those and mail).

3 - Samba configuration is cool - I just click yes and it auto enters
the data per configuration page - LOVE IT! It would be cool if it
updated when clicked 'yes' but I can live without. Sometimes I need to
change sambaLogonScript.

4 - Consider having button which queries the server for entire LDAP cn=
record and display it (on top or bottom)

5 - would love this for useradmin as well, have setting in useradmin
(carried through to LDAP Users and Groups naturally) to not display
users less than (500 or ?) or even a range of those to display.

Thanks for putting up with my stupid questions and comments.

Craig

[webmin-l] Start QMail Processes button not working?

[Jurgen S. <bl...@Ju...>]

Hi,

When I stop the Qmail server, and restart it again (via the button 'Start
QMail Processes' it's not coming up....

I see in my log it's calling the qmailadmin/start.cgi, my start.cgi is
looking like this:

#!/usr/bin/perl
# start.cgi
# Start the qmail rc command in the background

require './qmail-lib.pl';
if ($config{'start_cmd'}) {
        &system_logged("( $config{'start_cmd'} ) >/dev/null 2>&1
</dev/null &");
        }
else {
        &system_logged("$qmail_start_cmd >/dev/null 2>&1 </dev/null &");
        }
&webmin_log("start");
&redirect("");


I see the script is called (in the webmin.log) and try to start it up
again:

1072148855.2907.0 [23/Dec/2003 04:07:35] root
e92a2653694f82ad54d7f49325a40bcd jurgenstroo.com qmailadmin start.cgi
"start" "-" "-"

But it's not working...

When I do it via the command line with the init.d/qmail script it works...

Does someone recognize this?

Thanks in advance,

Jurgen

---------------------------------------------------------------------------
"When a man sits with a pretty girl for an hour, it seems like a minute.
But let him sit on a hot stove for a minute and it's longer than any hour.
That's relativity." [A. Einstein, 1938]

<banner align=left>
hyper text transfer protocol colon slash slash jurgenstroo.com
</banner>

[webmin-l] LDAP Users and Groups

[Craig W. <cra...@az...>]

Is it possible to have multiple attributes? It doesn't seem to work and
perhaps it is something that I am doing.

I have added objectClass: inetLocalMailRecipient to the module config
I have listed mailLocalAddress twice in the 'extra LDAP properties to
allow editing' section but it only grabs the first value and lists it
twice - and editing them/deleting them creates errors. I can use
ldapadd/modify etc. to create the entries...

# ldapsearch -x -h localhost -b 'dc=tobyhouse,dc=com' '(uid=craig)'
version: 2

#
# filter: (uid=craig)
# requesting: ALL
#

# craig, People, tobyhouse, com
dn: uid=craig,ou=People,dc=tobyhouse,dc=com
cn: Craig White
uidNumber: 1000
gecos: Craig White
mail: craig
uid: craig
gidNumber: 100
sn: White
mailLocalAddress: craigwhite
mailLocalAddress: c.white
<major snippage but you get the idea>

Is there a method of handling this within the module? Jamie, If this is
something that you want to consider adding, would it be possible to use
some type of symbol so that the field is only listed once but an
expanding/contracting # of attributes can be dealt with?

Thanks

Craig

Re: [webmin-l] LDAP Users and Groups

[Craig W. <cra...@az...>]

While I'm at it - LDAP Users and Groups - Samba 3 has a problem in that
it cannot expand %U or %u macro's (user) from LDAP fields (i.e.
sambaProfilePath).

so in module configuration, I tried adding to 'LDAP properties for new
Samba Users' things like \\server\profiles\$user and \\server\profiles\
$uid but webmin doesn't expand them. Is there a simple thing I can do to
have samba automatically expand the username in a LDAP user attribute?

Thanks,

Craig

Re: [webmin-l] LDAP Users and Groups

[Jamie C. <jca...@we...>]

On Mon, 2004-12-13 at 04:24, Craig White wrote:
> Is it possible to have multiple attributes? It doesn't seem to work and
> perhaps it is something that I am doing.
> 
> I have added objectClass: inetLocalMailRecipient to the module config
> I have listed mailLocalAddress twice in the 'extra LDAP properties to
> allow editing' section but it only grabs the first value and lists it
> twice - and editing them/deleting them creates errors. I can use
> ldapadd/modify etc. to create the entries...
> 
> # ldapsearch -x -h localhost -b 'dc=tobyhouse,dc=com' '(uid=craig)'
> version: 2
> 
> #
> # filter: (uid=craig)
> # requesting: ALL
> #
> 
> # craig, People, tobyhouse, com
> dn: uid=craig,ou=People,dc=tobyhouse,dc=com
> cn: Craig White
> uidNumber: 1000
> gecos: Craig White
> mail: craig
> uid: craig
> gidNumber: 100
> sn: White
> mailLocalAddress: craigwhite
> mailLocalAddress: c.white
> <major snippage but you get the idea>
> 
> Is there a method of handling this within the module? Jamie, If this is
> something that you want to consider adding, would it be possible to use
> some type of symbol so that the field is only listed once but an
> expanding/contracting # of attributes can be dealt with?

This is really a bug in the module - it doesn't handle multiple
instances of an attribute in templates properly. However, it is
relatively easy to fix, and will be in the 1.174 development version of
Webmin that I will release today ..

 - Jamie

Re: [webmin-l] LDAP Users and Groups

[Craig W. <cra...@az...>]

On Mon, 2004-12-13 at 15:48 +1100, Jamie Cameron wrote:

> This is really a bug in the module - it doesn't handle multiple
> instances of an attribute in templates properly. However, it is
> relatively easy to fix, and will be in the 1.174 development version of
> Webmin that I will release today ..
----
I d/l and installed 1.174 dev version yesterday but didn't see anything
changed. Is this something I will be able to update via module update?

Thanks
Craig

Re: [webmin-l] LDAP Users and Groups

[Jamie C. <jca...@we...>]

Craig White wrote ..
> On Mon, 2004-12-13 at 15:48 +1100, Jamie Cameron wrote:
> 
> > This is really a bug in the module - it doesn't handle multiple
> > instances of an attribute in templates properly. However, it is
> > relatively easy to fix, and will be in the 1.174 development version
> of
> > Webmin that I will release today ..
> ----
> I d/l and installed 1.174 dev version yesterday but didn't see anything
> changed. Is this something I will be able to update via module update?

Oops, there is a bug in that code :(
It will work in 1.175 though, promise! Or I could send you an updated module if you like ..

 - Jamie

Re: [webmin-l] LDAP Users and Groups

[Craig W. <cra...@az...>]

On Wed, 2004-12-15 at 09:06 +1100, Jamie Cameron wrote:
> Craig White wrote ..
> > On Mon, 2004-12-13 at 15:48 +1100, Jamie Cameron wrote:
> > 
> > > This is really a bug in the module - it doesn't handle multiple
> > > instances of an attribute in templates properly. However, it is
> > > relatively easy to fix, and will be in the 1.174 development version
> > of
> > > Webmin that I will release today ..
> > ----
> > I d/l and installed 1.174 dev version yesterday but didn't see anything
> > changed. Is this something I will be able to update via module update?
> 
> Oops, there is a bug in that code :(
> It will work in 1.175 though, promise! Or I could send you an updated module if you like ..
> 
---
I would be more than eager to help you test it out at any point (the
module). You are terrific.

Craig

[webmin-l] LDAP Users and Groups

[Craig W. <cra...@az...>]

trying to make use of the 'script to run' feature and I'm not getting
it.

contents of script is...

#!/bin/sh
mysql horde < INSERT INTO horde_prefs VALUES \
('{USER}','ingo','rules','long-string of data')

and I'm not getting a variable substitution for {USER}, only the
literal.

I tried double quotes

Suggestions?

Craig

Re: [webmin-l] LDAP Users and Groups

[Jamie C. <jca...@we...>]

Craig White wrote ..
> trying to make use of the 'script to run' feature and I'm not getting
> it.
> 
> contents of script is...
> 
> #!/bin/sh
> mysql horde < INSERT INTO horde_prefs VALUES \
> ('{USER}','ingo','rules','long-string of data')
> 
> and I'm not getting a variable substitution for {USER}, only the
> literal.
> 
> I tried double quotes
> 
> Suggestions?

You should use $USERADMIN_USER instead of {USER}.

 - Jamie

Re: [webmin-l] LDAP Users and Groups

[Murray T. <mtr...@ce...>]

On Tue, 2005-02-08 at 08:38, Jamie Cameron wrote:
> Craig White wrote ..
> > trying to make use of the 'script to run' feature and I'm not getting
> > it.
> > 
> > contents of script is...
> > 
> > #!/bin/sh
> > mysql horde < INSERT INTO horde_prefs VALUES \
> > ('{USER}','ingo','rules','long-string of data')
> > 
> > and I'm not getting a variable substitution for {USER}, only the
> > literal.
> > 
> > I tried double quotes
> > 
> > Suggestions?
> 
> You should use $USERADMIN_USER instead of {USER}.
> 
>  - Jamie
> 

I made the script to run contain "env > /tmp/env.txt" so I could see all
the variables the module uses.

Murray

Re: [webmin-l] LDAP Users and Groups

[Craig W. <cra...@az...>]

On Tue, 2005-02-08 at 12:37 +0800, Murray Trainer wrote:
> On Tue, 2005-02-08 at 08:38, Jamie Cameron wrote:
> > Craig White wrote ..
> > > trying to make use of the 'script to run' feature and I'm not getting
> > > it.
> > > 
> > > contents of script is...
> > > 
> > > #!/bin/sh
> > > mysql horde < INSERT INTO horde_prefs VALUES \
> > > ('{USER}','ingo','rules','long-string of data')
> > > 
> > > and I'm not getting a variable substitution for {USER}, only the
> > > literal.
> > > 
> > > I tried double quotes
> > > 
> > > Suggestions?
> > 
> > You should use $USERADMIN_USER instead of {USER}.
> > 
> >  - Jamie
> > 
> 
> I made the script to run contain "env > /tmp/env.txt" so I could see all
> the variables the module uses.
----
that was most useful - thanks

by the way - the last rpm that you referenced installed the same IMAP.pm
module that I created from the source rpm's that you directed me to so
the end result was the same. I suppose I could beat it up and figure out
what wasn't working but it seems that the packager is depending upon
things that are in SuSE's environment and didn't work for my RHEL
environment and with the above info, I can pretty much do what I need to
do anyway and probably a lot more.

I wouldn't recommend that anyone draw conclusions from my inability to
make Net::IMAP / NetxAP work as I am not skilled at perl or perl modules
whatsoever but I suspect that the future of the cyrus portion of this
module is in danger of not being usable on many systems.

Thanks for the help

Craig

[webmin-l] More LDAP Users and Groups

[Craig W. <cra...@az...>]

Ok - creating users works fine

Deleting users presents a new challenge.

cyrus mailbox isn't deleted. Perhaps because I have changed from uw-imap
to cyrus after initial install of Webmin means that it isn't aware of
where/how to do this. 

Are cyrus mailboxes/accounts not dealt with in Webmin? 

I could probably script this portion if necessary.

Thanks

Craig

Re: [webmin-l] More LDAP Users and Groups

[Murray T. <mtr...@ce...>]

Hi Craig,

Was it you that had the problem with getting the perl module working to
use the Cyrus functionality in the Webmin LDAP Users and Groups module? 
If you have have resolved that and the Cyrus IMAP Server Options in the
module config are setup right and your LDAP schemas are OK, you should
be able to add and remove Cyrus IMAP mailboxes automatically as part of
adding and removing users. You may have a problem if you added the Cyrus
mailboxes after you added the users.  Maybe try re-saving a user (a test
account) using the Webmin LDAP Users module with IMAP Server Login set
to yes and it may sort things out - or it may screw things up too. 
Jamie might be able to comment about that.    

Murray


> Ok - creating users works fine
> 
> Deleting users presents a new challenge.
> 
> cyrus mailbox isn't deleted. Perhaps because I have changed from uw-imap
> to cyrus after initial install of Webmin means that it isn't aware of
> where/how to do this. 
> 
> Are cyrus mailboxes/accounts not dealt with in Webmin? 
> 
> I could probably script this portion if necessary.
> 
> Thanks
> 
> Craig
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> -
> Forwarded by the Webmin mailing list at web...@li...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
> 

Re: [webmin-l] More LDAP Users and Groups

[Craig W. <cra...@az...>]

On Thu, 2005-02-10 at 13:30 +0800, Murray Trainer wrote:
> Hi Craig,
> 
> Was it you that had the problem with getting the perl module working to
> use the Cyrus functionality in the Webmin LDAP Users and Groups module?
---
yes and the variation of NetxAP from SuSE didn't work for me - did the
same thing as when I installed it compiled it directly from the src rpm
---
> If you have have resolved that
---
if you call giving up resolved, it is resolved
---
>  and the Cyrus IMAP Server Options in the
> module config are setup right and your LDAP schemas are OK, you should
> be able to add and remove Cyrus IMAP mailboxes automatically as part of
> adding and removing users.
---
guess not
---
> You may have a problem if you added the Cyrus
> mailboxes after you added the users.  Maybe try re-saving a user (a test
> account) using the Webmin LDAP Users module with IMAP Server Login set
> to yes and it may sort things out - or it may screw things up too. 
> Jamie might be able to comment about that.    
---
Yeah - I guess that too (deleting cyrus mailboxes) would depend upon the
NetxAP (Net::IMAP) perl module being installed and functional.

;-)

Thanks - I've already started scripting it. If I can figure out how to
get user/password command into a command line for cyradm, I'll have it
licked. You have been really helpful. I don't know why I expected Webmin
to delete cyrus accounts when I can't get the perl module
installed...what was I thinking?

Craig

Re: [webmin-l] More LDAP Users and Groups

[Murray T. <mtr...@ce...>]

Craig White wrote:

>On Thu, 2005-02-10 at 13:30 +0800, Murray Trainer wrote:
>  
>
>>Hi Craig,
>>
>>Was it you that had the problem with getting the perl module working to
>>use the Cyrus functionality in the Webmin LDAP Users and Groups module?
>>    
>>
>---
>yes and the variation of NetxAP from SuSE didn't work for me - did the
>same thing as when I installed it compiled it directly from the src rpm
>---
>  
>
>>If you have have resolved that
>>    
>>
>---
>if you call giving up resolved, it is resolved
>---
>  
>
>> and the Cyrus IMAP Server Options in the
>>module config are setup right and your LDAP schemas are OK, you should
>>be able to add and remove Cyrus IMAP mailboxes automatically as part of
>>adding and removing users.
>>    
>>
>---
>guess not
>---
>  
>
>>You may have a problem if you added the Cyrus
>>mailboxes after you added the users.  Maybe try re-saving a user (a test
>>account) using the Webmin LDAP Users module with IMAP Server Login set
>>to yes and it may sort things out - or it may screw things up too. 
>>Jamie might be able to comment about that.    
>>    
>>
>---
>Yeah - I guess that too (deleting cyrus mailboxes) would depend upon the
>NetxAP (Net::IMAP) perl module being installed and functional.
>
>;-)
>
>Thanks - I've already started scripting it. If I can figure out how to
>get user/password command into a command line for cyradm, I'll have it
>licked. You have been really helpful. I don't know why I expected Webmin
>to delete cyrus accounts when I can't get the perl module
>installed...what was I thinking?
>
>Craig
>  
>
I am sure their people on Perl or Redhat mailing lists that would help 
you to 
get the NetxAP module working on Redhat instead of you having to 
reinvent the wheel.

Murray

Re: [webmin-l] More LDAP Users and Groups

[Craig W. <cra...@az...>]

On Thu, 2005-02-10 at 18:51 +0800, Murray Trainer wrote:

> >  
> >
> I am sure their people on Perl or Redhat mailing lists that would help 
> you to 
> get the NetxAP module working on Redhat instead of you having to 
> reinvent the wheel.
> 
---
I gather that the reason that this perl module has gone cold is the perl
utilities that are supplied as part of cyrus-imap have supplanted the
code in Net::IMAP or known as the perl module NetxAP

# locate Cyrus::IMAP::Admin
/usr/share/man/man3/Cyrus::IMAP::Admin.3pm.gz
[root@linuxserver scripts]# rpm -q --
whatprovides /usr/share/man/man3/Cyrus\:\:IMAP\:\:Admin.3pm.gz
perl-Cyrus-2.2.10-3.fc3

now I know less about perl than I know about cyrus and even less about
webmin though I've used it for a lot of years but I have the following
little program...

# cat ldap_useradmin.deluser
#! /usr/bin/perl -w

use Cyrus::IMAP::Admin;

$imap = Cyrus::IMAP::Admin->new("localhost")
    or die "Failed to connect";
$imap->authenticate("-user" => "cyrus",
                     "-password" => "MY_PASS",
                     "-mechanism" => "LOGIN")
       or die "Failed to authenticate";
$imap->setacl("user.public","cyrus","+c") or die "Failed to set
permissions for cyrus";
$imap->delete("user.public") or die "Failed to delete mailbox";

that can now delete the mailboxes

there is a webmin module (obviously still a little rough around the
edges but entirely functional) called IMAP-Admin which I am certain uses
these perl modules supplied with cyrus.

How long these perl modules have been supplied with cyrus imapd I don't
know - I suppose the change logs would have that info but it does seem
that at best, monkeying with Net::IMAP perl module is a short term fix
and the Users and Groups Module needs to be updated. I would love to
help in this arena but I do have some other things occupying my time and
am going to work it through my way and if and when time permits, I will
slaughter the perl in Jamie's module to see if I can make it work
without the outdated module.

Thanks

Craig

Re: [webmin-l] More LDAP Users and Groups

[Craig W. <cra...@az...>]

On Thu, 2005-02-10 at 13:34 -0700, Craig White wrote:
> On Thu, 2005-02-10 at 18:51 +0800, Murray Trainer wrote:
> 
> > >  
> > >
> > I am sure their people on Perl or Redhat mailing lists that would help 
> > you to 
> > get the NetxAP module working on Redhat instead of you having to 
> > reinvent the wheel.
> > 
> ---
> I gather that the reason that this perl module has gone cold is the perl
> utilities that are supplied as part of cyrus-imap have supplanted the
> code in Net::IMAP or known as the perl module NetxAP
> 
> # locate Cyrus::IMAP::Admin
> /usr/share/man/man3/Cyrus::IMAP::Admin.3pm.gz
----
replying to my own post... ;-)

I am certain that cyrus-imap versions at least since 2.1.10 have had
these perl modules (Cyrus::IMAP::ADMIN and Cyrus::IMAP) as part of the
package.

I am also certain that there are more features available such as:

createonpost:
autosubscribeinboxfolders:
autosubscribesharedfolders:
autocreate_sieve_script: 
autocreate_sieve_compiledscript: 
generate_compiled_sieve_script:
allowallsubscribe:
anysievefolder:

whereas the LDAP Users and Groups config addresses:

autocreatequota:
autocreateinboxfolders:

and not being able to work through the setup, there are entries for:
Email address format
Email domain for mail attribute
Address book base

which I presume refer to entries made into LDAP DSA and can be mostly
accomplished with reasonable insight in the upper section. 

It would seem then, that this portion of the module isn't entirely
functional and as I referred to in previous email, reliant upon a perl
module that has fallen into disuse since cyrus has released the perl
based Administration modules listed above. I have to believe that SuSE,
debian and other distro's that package cyrus-imapd also install these
perl modules.

Given that I know about two things about perl... 1) that you need a ';'
at the end of each line and 2) that what is likely to be perl code is
something that I can stare at for 10 minutes without getting the
slightest hint of what it is doing is a deterrent for me to start
hacking away at the perl code in the module that handles the cyrus
management.

Craig

[webmin-l] LDAP Users and Groups

[Jonas P. <jon...@gm...>]

Just installed the 1,770 version on Ubuntu 14.04 LTS.
It has a working LDAP auth for client and is already serving a cluster of
virtual machines.  However, I can't use the groups part. Looking with the
LDAP Client module I can see that new groups are added with

  cn=mygroup,dc=xx,dc=yyy

instead of

  cn=mygroup,ou=Groups,dc=xx,dc=yyy

and I can't use that in the servers. (scm-manager,jenkins,archiva...)

Everything is installed with defaults as far as possible. I Manually added
a user
with correct DN and it's visible  everywhere, including LDAP Users&Groups

What do I do?

Thanks!

Re: [webmin-l] LDAP Users and Groups

[Jamie C. <jca...@we...>]

On 02/Dec/2015 04:42 Jonas Printzén <jon...@gm...> wrote ..
> Just installed the 1,770 version on Ubuntu 14.04 LTS.
> It has a working LDAP auth for client and is already serving a cluster of
> virtual machines.  However, I can't use the groups part. Looking with the
> LDAP Client module I can see that new groups are added with
> 
>   cn=mygroup,dc=xx,dc=yyy
> 
> instead of
> 
>   cn=mygroup,ou=Groups,dc=xx,dc=yyy
> 
> and I can't use that in the servers. (scm-manager,jenkins,archiva...)
> 
> Everything is installed with defaults as far as possible. I Manually added
> a user
> with correct DN and it's visible  everywhere, including LDAP Users&Groups
> 
> What do I do?

In the LDAP Users and Groups module, you can click on the Module Config link
and change the base DN for groups.

 - Jamie

Re: [webmin-l] LDAP Users and Groups

[Jonas P. <jon...@gm...>]

I did not succeed with changing the config in webmin. However changing the
config to explicitly state nss_base_passwd and nss_base_group did the
trick!  Strange that only webmin needed this to work...

2015-12-02 22:11 GMT+01:00 Jamie Cameron <jca...@we...>:

> On 02/Dec/2015 04:42 Jonas Printzén <jon...@gm...> wrote ..
> > Just installed the 1,770 version on Ubuntu 14.04 LTS.
> > It has a working LDAP auth for client and is already serving a cluster of
> > virtual machines.  However, I can't use the groups part. Looking with the
> > LDAP Client module I can see that new groups are added with
> >
> >   cn=mygroup,dc=xx,dc=yyy
> >
> > instead of
> >
> >   cn=mygroup,ou=Groups,dc=xx,dc=yyy
> >
> > and I can't use that in the servers. (scm-manager,jenkins,archiva...)
> >
> > Everything is installed with defaults as far as possible. I Manually
> added
> > a user
> > with correct DN and it's visible  everywhere, including LDAP Users&Groups
> >
> > What do I do?
>
> In the LDAP Users and Groups module, you can click on the Module Config
> link
> and change the base DN for groups.
>
>  - Jamie
>
>
>
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple
> OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
> -
> Forwarded by the Webmin mailing list at
> web...@li...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list
>
>

Re: [webmin-l] LDAP Users and Groups

[Jamie C. <jca...@we...>]

That module was one of mine as well..
One feature that I am planning to add is support for shadow password
file equivalent attributes for users, like the password change date or
expiry date. Are these the ones that you mentioned in nis.schema ?

 - Jamie

On Tue, 2003-12-16 at 15:49, Craig White wrote:
> Don't know who wrote the module - but it is fairly cool and seems to
> work. I would love to have it handle more object classes - especially
> those for Authentication such as those that are found in the nis.schema
> which I would presume are the typical fields in Users and Groups.
> 
> I would suppose that if/when I ever get kerberos and samba all playing
> nice with ldap, I could probably use the User Manager for Domains from
> Win2000 or NT that almost seems sacrosanct.
> 
> The program Directory Administrator was a pia to install on Red Hat AS
> but is pretty cool - that would kick butt as a webmin module.
> 
> Craig
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
> -
> Forwarded by the Webmin mailing list at web...@li...
> To remove yourself from this list, go to
> http://lists.sourceforge.net/lists/listinfo/webadmin-list

Re: [webmin-l] LDAP Users and Groups

[Craig W. <cra...@az...>]

On Tue, 2003-12-16 at 02:59, Jamie Cameron wrote:
> That module was one of mine as well..
> One feature that I am planning to add is support for shadow password
> file equivalent attributes for users, like the password change date or
> expiry date. Are these the ones that you mentioned in nis.schema ?
----
those would be very nice.

There are some other fields - I haven't had the time to chase them down
(don't know the exact names because if I did, I'd grep them to find
which schema that they're in) that are accessible with Directory
Assistant which relate to the Windows clients - like their login script
/ home directory

Craig

Re: [webmin-l] LDAP Users and Groups

[Craig W. <cra...@az...>]

On Tue, 2003-12-16 at 10:06, Craig White wrote:
> On Tue, 2003-12-16 at 02:59, Jamie Cameron wrote:
> > That module was one of mine as well..
> > One feature that I am planning to add is support for shadow password
> > file equivalent attributes for users, like the password change date or
> > expiry date. Are these the ones that you mentioned in nis.schema ?
> ----
> those would be very nice.
> 
> There are some other fields - I haven't had the time to chase them down
> (don't know the exact names because if I did, I'd grep them to find
> which schema that they're in) that are accessible with Directory
> Assistant which relate to the Windows clients - like their login script
> / home directory
> 
---
OK - my bad...

specifically...


LDAP_MOD_ADD objectclass

sambaAccount

LDAP_MOD_REPLACE smbHome

\\linserv1\homes\%U

LDAP_MOD_REPLACE homeDrive

h

LDAP_MOD_REPLACE profilePath

\\linserv1\profiles\%U

LDAP_MOD_REPLACE scriptPath

pr.bat

LDAP_MOD_REPLACE rid

2002


<http://de.samba.org/samba/ftp/docs/htmldocs/Samba-LDAP-HOWTO.html>

samba.schema (as supplied with 3.0.0)

##
## schema file for OpenLDAP 2.x
## Schema for storing Samba user accounts and group maps in LDAP
## OIDs are owned by the Samba Team
##
## Prerequisite schemas - uid         (cosine.schema)
##                      - displayName (inetorgperson.schema)
##                      - gidNumber   (nis.schema)
##
## 1.3.6.1.4.1.7165.2.1.x - attributetypes
## 1.3.6.1.4.1.7165.2.2.x - objectclasses
##

########################################################################
##                            HISTORICAL                              ##
########################################################################

##
## Password hashes
##
#attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword'
#       DESC 'LanManager Passwd'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword'
#       DESC 'NT Passwd'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

##
## Account flags in string format ([UWDX     ])
##
#attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags'
#       DESC 'Account Flags'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )

##
## Password timestamps & policies
##
#attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet'
#       DESC 'NT pwdLastSet'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime'
#       DESC 'NT logonTime'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime'
#       DESC 'NT logoffTime'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime'
#       DESC 'NT kickoffTime'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange'
#       DESC 'NT pwdCanChange'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange'
#       DESC 'NT pwdMustChange'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

##
## string settings
##
#attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive'
#       DESC 'NT homeDrive'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath'
#       DESC 'NT scriptPath'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath'
#       DESC 'NT profilePath'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations'
#       DESC 'userWorkstations'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome'
#       DESC 'smbHome'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

#attributetype ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain'
#       DESC 'Windows NT domain to which the user belongs'
#       EQUALITY caseIgnoreIA5Match
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )

##
## user and group RID
##
#attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid'
#       DESC 'NT rid'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

#attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID'
#       DESC 'NT Group RID'
#       EQUALITY integerMatch
#       SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

##
## The smbPasswordEntry objectclass has been depreciated in favor of the
## sambaAccount objectclass
##
#objectclass ( 1.3.6.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top
AUXILIARY
#        DESC 'Samba smbpasswd entry'
#        MUST ( uid $ uidNumber )
#        MAY  ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags ))

#objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top
STRUCTURAL
#       DESC 'Samba Account'
#       MUST ( uid $ rid )
#       MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
#               logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange
$ acctFlags $
#               displayName $ smbHome $ homeDrive $ scriptPath $
profilePath $
#               description $ userWorkstations $ primaryGroupID $ domain
))

#objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top
AUXILIARY
#       DESC 'Samba Auxiliary Account'
#       MUST ( uid $ rid )
#       MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
#              logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $
acctFlags $
#              displayName $ smbHome $ homeDrive $ scriptPath $
profilePath $
#              description $ userWorkstations $ primaryGroupID $ domain
))

########################################################################
##                        END OF HISTORICAL                           ##
########################################################################

#######################################################################
##                Attributes used by Samba 3.0 schema                ##
#######################################################################

##
## Password hashes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword'
        DESC 'LanManager Password'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword'
        DESC 'MD4 hash of the unicode password'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE )

##
## Account flags in string format ([UWDX     ])
##
attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags'
        DESC 'Account Flags'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE )

##
## Password timestamps & policies
##
attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet'
        DESC 'Timestamp of the last password update'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange'
        DESC 'Timestamp of when the user is allowed to update the
password'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange'
        DESC 'Timestamp of when the password will expire'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime'
        DESC 'Timestamp of last logon'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime'
        DESC 'Timestamp of last logoff'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime'
        DESC 'Timestamp of when the user will be logged off
automatically'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )


##
## string settings
##
attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive'
        DESC 'Driver letter of home directory mapping'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript'
        DESC 'Logon script path'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath'
        DESC 'Roaming profile path'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
        DESC 'List of user workstations the user is allowed to logon to'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath'
        DESC 'Home directory UNC path'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName'
        DESC 'Windows NT domain to which the user belongs'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

##
## SID, of any type
##

attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
        DESC 'Security ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )


##
## Primary group SID, compatible with ntSid
##

attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID'
        DESC 'Primary Group Security ID'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )

##
## group mapping attributes
##
attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType'
        DESC 'NT Group Type'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

##
## Store info on the domain
##

attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid'
        DESC 'Next NT rid to give our for users'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid'
        DESC 'Next NT rid to give out for groups'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid'
        DESC 'Next NT rid to give out for anything'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )

attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase'
        DESC 'Base at which the samba RID generation algorithm should
operate'
        EQUALITY integerMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )


#######################################################################
##              objectClasses used by Samba 3.0 schema               ##
#######################################################################

## The X.500 data model (and therefore LDAPv3) says that each entry can
## only have one structural objectclass.  OpenLDAP 2.0 does not enforce
## this currently but will in v2.1

##
## added new objectclass (and OID) for 3.0 to help us deal with
backwards
## compatibility with 2.2 installations (e.g. ldapsam_compat)  --jerry
##
objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top
AUXILIARY
        DESC 'Samba 3.0 Auxilary SAM Account'
        MUST ( uid $ sambaSID )
        MAY  ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet
$
               sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $
               sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $
               displayName $ sambaHomePath $ sambaHomeDrive $
sambaLogonScript $
               sambaProfilePath $ description $ sambaUserWorkstations $
               sambaPrimaryGroupSID $ sambaDomainName ))

##
## Group mapping info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top
AUXILIARY
        DESC 'Samba Group Mapping'
        MUST ( gidNumber $ sambaSID $ sambaGroupType )
        MAY  ( displayName $ description ))

##
## Whole-of-domain info
##
objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top
STRUCTURAL
        DESC 'Samba Domain Information'
        MUST ( sambaDomainName $
               sambaSID )
        MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $
              sambaAlgorithmicRidBase ) )

## used for idmap_ldap module
objectclass ( 1.3.6.1.4.1.7165.1.2.2.7 NAME 'sambaUnixIdPool' SUP top
AUXILIARY
        DESC 'Pool for allocating UNIX uids/gids'
        MUST ( uidNumber $ gidNumber ) )


objectclass ( 1.3.6.1.4.1.7165.1.2.2.8 NAME 'sambaIdmapEntry' SUP top
AUXILIARY
        DESC 'Mapping from a SID to an ID'
        MUST ( sambaSID )
        MAY ( uidNumber $ gidNumber ) )

objectclass ( 1.3.6.1.4.1.7165.1.2.2.9 NAME 'sambaSidEntry' SUP top
STRUCTURAL
        DESC 'Structural Class for a SID'
        MUST ( sambaSID ) )