Openldap administration


#1

Hey all, first off, I must admit: great work so far =)
I have a question though, how would it be possible to administer the ldap db remotely with tools like
ApacheDirectory Browser?
I tried already with the admin account, but every attempt to modify the schema fails with "no write access to parent"
I would like to delete a machine account, is there any other way to achieve this, without fiddling with ldap?

kr, marcel


Deleting a Samba machine account
(Davide Principi) #2

I moved 5 posts to an existing topic: Deleting a Samba machine account


(Wolfgang Höfer) #7

ok,

but if he wants to use a tool from an external machine … luserdel
will not be available :slight_smile:


#8

Hey, yes using the libuser as well.
But there seems to be no acl in place, at least not in ldap.conf… Is there a way to give the domain admin write access via acl somehow? In the meantime i will give the escaped command a shot, didnt knew that…


(Artem Fedai) #9

i think we need PHPLDAPADMIN for managing LDAP :smile:


(Jose "Martin" Abeleira. AKA Marto) #10

This project already exists

http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page


(Davide Principi) #11

Why not? This seems a good idea to me! @Nas, would you like to start writing an howto about phpLDAPadmin on NethServer? The HowToMaster @AbsyntH could give an hint on this!


(Artem Fedai) #12

how about cn=manager or admin account for ldap ? where i could see password or somth like this !


#13

I think it´s not phpldapadmin what is needed - there are ldap browsers/editors out there - we just need a remote user with write access to the schema…
So as far as i can see, only localhost is allowed to write to the directory!?


(Artem Fedai) #14

remote ldap management is owfull , make SSH tunnel for managing ! we need localhost management instrument and management account for doing this !


(Stefano) #15

I agree… no need for remote administration…

we need such a feature merged into NS gui


(Artem Fedai) #16

phpldapadmin and for Jabber we need module VCARD LDAP for merging Users Name and Surname + mob tel to Roaster it could be a great feature !


(Davide Principi) #17

I moved a post to a new topic: phpLDAPadmin HowTo


(Davide Principi) #18

I moved 2 posts to an existing topic: phpLDAPadmin HowTo


(Artem Fedai) #20

@davidep @zamboni @alefattorini check my tuorial and say does phpldapadmin ruins some ldiff and schema ?


(Davide Principi) #21

:relaxed: @nas Great work! It does not modify any configuration file managed by templates. Thus it’s OK for me.


@feenix: the root user has full privileges on the LDAP tree through the ldapi:// socket. This is the CentOS default. Just remember to use -Y EXTERNAL option on ldap* commands. For instance

ldapsearch -Y EXTERNAL -b cn=config
ldapdelete -Y EXTERNAL 'uid=yourmachine$' # <- does it work?

Unfortunately some services (like samba or libuser) don’t like ldapi:// and require an account. And ACLs. To inspect LDAP ACLs use the commands from

http://docs.nethserver.org/projects/nethserver-devel/en/latest/directory.html#inspect-openldap-acls


:pray: be careful when accessing LDAP. It is the Unix and Samba accounts backend. It contains very sensitive informations. It’s more than /etc/passwd. It’s like /etc/shadow.

  • Don’t expose it to remote access.
  • Don’t change ACLs!

LDAP integration problem
(Davide Principi) #22

I moved a post to an existing topic: phpLDAPadmin HowTo