Openldap administration

Hey all, first off, I must admit: great work so far =)
I have a question though, how would it be possible to administer the ldap db remotely with tools like
ApacheDirectory Browser?
I tried already with the admin account, but every attempt to modify the schema fails with "no write access to parent"
I would like to delete a machine account, is there any other way to achieve this, without fiddling with ldap?

kr, marcel

I moved 5 posts to an existing topic: Deleting a Samba machine account

ok,

but if he wants to use a tool from an external machine … luserdel
will not be available :slight_smile:

1 Like

Hey, yes using the libuser as well.
But there seems to be no acl in place, at least not in ldap.conf… Is there a way to give the domain admin write access via acl somehow? In the meantime i will give the escaped command a shot, didnt knew that…

i think we need PHPLDAPADMIN for managing LDAP :smile:

This project already exists

http://phpldapadmin.sourceforge.net/wiki/index.php/Main_Page

Why not? This seems a good idea to me! @Nas, would you like to start writing an howto about phpLDAPadmin on NethServer? The HowToMaster @AbsyntH could give an hint on this!

1 Like

how about cn=manager or admin account for ldap ? where i could see password or somth like this !

I think it´s not phpldapadmin what is needed - there are ldap browsers/editors out there - we just need a remote user with write access to the schema…
So as far as i can see, only localhost is allowed to write to the directory!?

remote ldap management is owfull , make SSH tunnel for managing ! we need localhost management instrument and management account for doing this !

I agree… no need for remote administration…

we need such a feature merged into NS gui

phpldapadmin and for Jabber we need module VCARD LDAP for merging Users Name and Surname + mob tel to Roaster it could be a great feature !

I moved a post to a new topic: phpLDAPadmin HowTo

I moved 2 posts to an existing topic: phpLDAPadmin HowTo

@davidep @zamboni @alefattorini check my tuorial and say does phpldapadmin ruins some ldiff and schema ?

1 Like

:relaxed: @nas Great work! It does not modify any configuration file managed by templates. Thus it’s OK for me.


@feenix: the root user has full privileges on the LDAP tree through the ldapi:// socket. This is the CentOS default. Just remember to use -Y EXTERNAL option on ldap* commands. For instance

ldapsearch -Y EXTERNAL -b cn=config
ldapdelete -Y EXTERNAL 'uid=yourmachine$' # <- does it work?

Unfortunately some services (like samba or libuser) don’t like ldapi:// and require an account. And ACLs. To inspect LDAP ACLs use the commands from

http://docs.nethserver.org/projects/nethserver-devel/en/latest/directory.html#inspect-openldap-acls


:pray: be careful when accessing LDAP. It is the Unix and Samba accounts backend. It contains very sensitive informations. It’s more than /etc/passwd. It’s like /etc/shadow.

  • Don’t expose it to remote access.
  • Don’t change ACLs!

I moved a post to an existing topic: phpLDAPadmin HowTo