how to export normal unix user to ldap I've unbuntu ldap server with some local users. I want to export all my local users to ldap database as a ldap users. Or if there is any configuration so that when ever a normal user is created then automatically an ldap user with the same name as the normal user will be created
View 5 RepliesI setup openldap and samba on 9.10. The ubuntu desktop client gets authenticated successfully with the server. But when I do a passwd on the client, only the ldap passwd is getting changed but not in the samba and the unix user account.
My smb.conf
Code:
passdb backend = ldapsam:ldap://192.168.3.100
ldap suffix = dc=example,dc=local
ldap user suffix = ou=People
ldap group suffix = ou=Groups
[code].....
But only the ldap password is getting changed and not in the samba and unix user account.
I tried
unix password sync = yes
but same result.
Anyway i have a very old Mandrake server where a previous owner hosted mailboxes on. This server is getting very slow and does alot of e-mail related tasks like:popsmtpmxIt runs on sendmail (which is also very outdated...) and it doesnt seem to respond to its config files. And the whole smtp and mx thing leaves us with some really weird mail problems...So i want to implement it in our current mail setup in which i have it all on seperate servers:2 smtp server (dns roundrobbing) (postfix)4 mx servers (1 etrn) (postfix)1 webmail server (v-webmail) (just apache and connects to the pop/imap server)And 1 pop/imap server (postfix, dovecot)I also want to implement smtp authentication because of all the mobile clients i have to host... This is where it gets tricky.
I want to export the unix user table of the old mandrake server and import that into a mysql database. This database will be used to authenticate the smtp users.I also want the export of the unix users to import it to the other pop/imap server so users can logon to that server instead of the crappy Mandrake server.I would expect that the export from unux users to mysql (including passwords) is the hardest part. I googled it, but some of the stuff i found didnt seem to be very reliable, so thats where you guys kick in :-). So is this possible? If so, how can i do it?I know i should go with some kind of ldap situation but that seems a way bigger hassle then this setup.
I have Ubuntu 10.04.2 (Linux 2.6.32-33-server on x86_64) with OpenLDAP 2.4.21 and Webmin1.550. I converted my ldap database from another system with the older style schema (OpenLDAP 2.3.3 with slightly older Webmin version 1.480) and no longer use slapd.conf, but the newer slapd.d format.
It all works fine except for one thing. When I add a new user, it lets me type in the additional LDAP fields:
But when I click the Create button, all the fields get jumbled together in the Title/Position box with a diamond question mark delimiting the fields:
Modifying existing users (which have the Additional fields displaying correctly) also has the same result - it moves the fields all into the one Title/Position box with the diamond shapes with question marks inside between each entry. Is it a problem with my schema files? I tried reverting to the older shema files and slapd.conf and it still did the same thing on the new system. I am really at a loss.
Here is also the output of ldapsearch for that user (host and samba ids are sanitized):
Previously added users that show the fields properly have "description:" and then the field listed for each Additional LDAP field. Also shouldn't the "title" be visible in plain human readable text here? - it looks like it encrypted it somehow - similar to a password hash. The older system works fine and the fields are all readable and in their proper locations. But the new system just doesn't work right.
I have set up an NFS server on Fedora 13, and I am connecting to it with Fedora 13 and Ubuntu 10.
On both clients the command
Code:
works fine. On Fedora I can get into the directory with Nautilus and have read/write permissions as specified in /etc/exports on the server, but on Ubuntu I can only get into it from a sudo'd command line.
The ownership of the file on Fedora is "nobody" and on Ubuntu it's "user #500", with only people in the "500" group having access to it.
Obviously the permissions can't be changed on the client, but with the Fedora box being able to read/write to it with no problems I'm not sure what else I can do on the server to let normal users on the Ubuntu box read it.
I am using RackMonkey to map out my lab. Unfortunately, due to RM limitations, every user who accesses the site has write access UNLESS they are logged in as a user named "guest". I currently have Apache allowing only the users (sysadmins) in an LDAP group access to RM, but I would like to allow read-only access for other users as well.I found mod_authn_anon, but I am having trouble combining the two authentication methods. I am using Apache 2.2.18 (compiled myself) on SLES 11.1.
This is the common part:
Code:
AuthType Basic
AuthBasicProvider ldap anon
Order allow,deny
Allow from all
This part by itself works for the LDAP authentication:
Code:
AuthName "System Admins"
AuthLDAPURL "ldaps://example.com/ou=ldap,o=example.com?mail" SSL
Require ldap-group cn=SysAdmins,ou=memberlist,ou=groups,o=example.com
This part works by itself for guest access:
Code:
Anonymous guest
Anonymous_VerifyEmail Off
Anonymous_MustGiveEmail Off
Anonymous_LogEmail on
Require valid-user
But if I have both of the previous blocks enabled at once, then guest access does not work. If I throw in a "Satisfy any", then I am not prompted for a username at all. How can I allow access to this LDAP group and to a user named "guest", but not allow all valid LDAP users to log in?
Anyone had any issues with connection to LDAP server from evolution as a normal user, but if evolution is started as sudo/root it works fine. This is on 10.10
View 1 Replies View RelatedI setup openldap and samba on 9.10. The ubuntu desktop client gets authenticated successfully with the server.
But when I do a passwd on the client, only the ldap passwd is getting changed but not in the samba and the unix user account.
My smb.conf
Code:
passdb backend = ldapsam:ldap://192.168.3.100
ldap suffix = dc=example,dc=local
ldap user suffix = ou=People
ldap group suffix = ou=Groups
[Code]....
I maintain a samba PDC for a small business, our current setup does not work very well; on a hardware upgrade I directled imported the old ldap database and attempting to add machines to the domain causes all sorts of trouble.
I'm 95% sure the original database (which predates my employment) was created using the idealx smb-ldap tools, unfortunately on our current platform (debian lenny) these tools seem to be broken; the only things hey seem to do reliably are set passwords and add posix users, asking them to do anything involving samba/windows causes errors. The idealx tools seem to be abandoned, and I don't know enough perl to try and fix them.
Since the idealx scripts seem to be abandoned, and most of the good samba+ldap how-tos references the idealx tools, I was wondering what people use nowadays to manage there ldap directories; surely they aren't importing .ldif files to add new users/machines like I've been doing. Are people just writing thier own management scripts/web-apps? Or are the smb=ldap tools just broke on debian?how to generate the NT/LM password hashes and proper SIDs, does anybody have anything they could point me to about this?
I have an existing unix user that some how didnt make it into the copy over to our LDAP server. How do I add an existing unix user to an existing LDAP directory? Will ldapadd work? I was under the impression ldapadd required an ldif file to work properly.
View 7 Replies View RelatedThe normal user is now in the sudoers group. How can i allow it to install programs using it's own password rather than having to know the super-secret Root-Users password?
View 5 Replies View RelatedI installed and configured LDAP server and client on RHEL5 successfully. Problem is that when I add more than one user on server and clients, It shows error 'invalid user'.When I run the command:-#chown -R user:users /home/user, It shows error 'invalid user'. by step for adding and modifying more users in ldap servers.
View 1 Replies View RelatedIm an IT manager for a small company with a small ammount of users. We already use linux for our data server and I would like to implement a domain controller. All of our user machines are WIndows XP pro.
Ive been reading up on using OpenLDAP as an alternative to active directory.
What I want is just a simple active directory like server, with a GUI if possible.
What do I need to look at and how would I go about setting this up? Im fairly proficient with Ubuntu already, I just need to be pointed in the right direction.
Is it even possible to have my windows users be able to log in to their machines using an ubuntu domain controller?
for security reasons,I want to disable shutdown for normal user, but the post here does not help me. It is because when I open the /etc/X11/gdm/gdm.conf I just saw a blank file. I use the 9.10 version.
View 6 Replies View RelatedI've compiled openssh-5.4p1 on RHEL 4.8 with Openssl 0.9.8m + pam It works perfect without pam (pam-0.77-66), both with password and public key auth. Whith pam enabled and LDAP (openldap-2.4.21, from scratch) something strange happens: system users: I can do ssh with both password and public key LDAP users: public key works for remote users, still I cannot do ssh with just password. I'm trying a custom PAM configuration, because the default one (even with authconfig + LDAP ) blocks ssh even with system users.
My pam SSHD configuration is:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_ldap.so use_first_pass
[code]....
My LDAP users are ok: i can do "su - " remote LDAP (so that nss_ldap is OK), also getent passwd and getent group is ok.
Samba up and running on my pc. pc runs FC12 with kde. A laptop has win vista. The pc can access the shares on the laptop but the laptop has authentication issues to access the pc. Note that windows doesnt enforce authentication forincoming network connections.Using the system-config-samba util i tried to map a windows user to the unix user "feduser". The laptop (named LAPPY) has a user (lapuser) which has on windows no password.What should I tell samba config what the windows username should be? lapuser or LAPPYlapuser doesnt work because when accessing the pc via the laptop, the authentication fails. The only auth that is successful is when choosing the same winusername as the unix username.
Secondary, id like to setup the laptop so that the user doesnt have to provide a name and password, or at least not more then once in the lifetime of the laptop. Note that you cant provide an empty password to system-config-samba. How is that possible?
Strange but not really on issue imho:the samba - KDE control module(kcmshall4) (and the smb.conf) shows 2 shares: the homedirs and the data dir the samba server configurator (system-config-samba) shows only the datadir.
I have a openldap server running on one machine (fedora10) and pam_ldap.so and nss_ldap.so running on the other machine.
I have added a new user to the LDAP server database, this user is not created on client machine.
1. Can i login to the client machine using this new user?
2. Now if i try logging with this new user I am getting error messages, the error messages are as follows at client side
Sep 2 10:34:36 localhost sshd[8484]: Invalid user kim from 10.254.194.148
Sep 2 10:34:36 localhost sshd[8485]: input_userauth_request: invalid user kim
Sep 2 10:35:16 localhost sshd[8484]: pam_ldap: error trying to bind as user "cn=min soo,ou=people,dc=samsung,dc=com" (Invalid credentials)
[Code]....
I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP server. I've install the following: sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds Here's my /etc/nsswitch.conf: passwd: files ldap [NOTFOUND=return] db group: files ldap [NOTFOUND=return] db
[Code]...
I installed CentOS 5.2 and then run yum update. I configured this server as LDAP/Samba primary domain controller. LDAP seems to be OK and for testing I am able to create users with:smbldap-tools useradd -am usernameI can ssh into the server as root and also as a Linux user which was locally created in the server. But ssh into the server as LDAP user fails (from a Fedora 11 machine) with "Permission denied, please try again", prompting again for password.Some data:
# rpm -qa | grep ldap
python-ldap-2.2.0-2.1
php-ldap-5.1.6-23.2.el5_3
[code]....
I have Ubuntu server 10.04 joined to a domain using Likewise Open. I can login using my domain credentials and have added my domain account to the sudoers file. Now that I've got it joined to the domain I want to add some samba shares and have domain members use their accounts to access them. However, no matter what combination of my domain name and the domain user or group I use in the valid users field it won't let me in. What's the proper way of inputting a domain user or group in the valid user field?
This is the entry I'm using for the share:
Code:
[testshare]
path = /srv/testshare
valid users = @"Domain Name+Domain Group" (Have tried many things here)
public = no
writable = yes
printable = no
create mask = 0765
I have a question that i want to make a normal user to execute the commands which the root user is able to execute, say if i have a user named siru and when i logged in using siru i cannot run commands like tracert,nmap@loccalhost and all but i can run when i have logged into root account so my question is how to make siru to run the command tracert,nmap@localhost.I have even edited the .bash_profile of siru's home directory from
# .bash_profile
# Get the aliases and functions
if [ -f ~/.bashrc ]; then
[code]...
In the past I found some great help on this forum, so here goes. Bare with me because it's a long story. I'll try to be as complete as possible. I've installed and configured OpenLdap on a virtual machine with ip 192.168.39.134. I've added 2 users via LAM. In the ou WikiUsers and the domain is wiki.local.
I've then created another host with ip 192.168.39.133 with mediawiki installed on it. Then I added the extension LDAPAuthenthication. In the LdapAuthentication file I added this code (only the last paragraph is mine, I added the others to show it's location in the script):
Quote:
$path = array( $IP, "$IP/includes", "$IP/languages" );
set_include_path( implode( PATH_SEPARATOR, $path ) . PATH_SEPARATOR . get_include_path() );
[code]...
I know I'm close because I can't register any new users or accounts on the mediawiki site. Although I could before I added the LDAP service. This is indeed all just to test and get to know how LDAP works. That's why it's all virtual in VMWare. I did not really configure anything on the LDAP, i just installed it and chose a domain (wiki.local).
As per subject, what's the best way to run a CRON job for something that "normal" users need to run as SUDO? There is a problem with the internal clock on my PC so at a regular time (every hour or day for example) I want to sync with my Network Time server. I use "sudo ntpdate time.bgr.local" as it is now and have to enter my user's password for it to work.I know root is disabled by default and would like to keep it that way if possible but if I have to enable it and then add it to root's cron list the so be it but would prefer not to.
View 5 Replies View RelatedI can't seem to find how to export a variable to all processes I run under my user? I have an application that needs this variable, and currently I have to manually export this variable (typing "export VAR=... in terminal) every time before I run the application.
Which profile file I have to put the export expression into? I want all processes to inherit this variable, not just the shell/terminal. I.e. a true environment variable...
I'm niomi and I'm the first account with sudo. I add an account, bob. niomi can get in reliably on active mode. (maybe relevant?: passive doesn't work) bob is jailed to his home directory, niomi is in ftp-special which gives her access to /. bob can't log in and his shell is set to bin/false. What could have gone wrong?
View 3 Replies View Relatedright now all of our users are able to log in to other user using su as root.Because root privilege is necessary for our work. we r using LDAP authentication(centralized)..
What we want to do to disable su usage to log in as other user?
We have just installed VNC. It seems to work fine. If we connect to a remote system using VNC, on say DISPLAY 5, it works and we can run our applications. If another person wants to view this session, they can also connect to DISPLAY 5, and it is fine.
However, if you are just sitting at your own system, without using VNC, and someone connects to your system using VNC to DISPLAY 0, so you can show them what you are doing, they do not see your session, they see a plain startup session, not the session in which you are running your applications... How do you let VNC users see your normal non-VNC session? Have I configured something wrongly? We are new to VNC!
I have shared two external harddrives via samba on ubuntu, but only I can access it. The reason being is because I have logged into linux, and become the owner of the external hdd's. On the permission properties, I can see that the group I have created every other user under has "No Folder Access", and if I change this it reverts back instantly. So frustrating, I've tried to chmod it which hasn't done a thing. The owner of the external hdd's seems to be the only person who can access it over samba.Is there anyway I can get normal users to just read and write to external hdd's?
View 9 Replies View RelatedI have an Openldap server and many 9.10 servers using it to check for possible ssh users. No problems there. Just brought up my first 10.04 server and went through the same procedure to allow ldap users to ssh in, works great. The problem is that ldap users cannot su to root on the 10.04 server. Only locally defined users can su to root, though they cannot su to ldap users. The local root user can su to anyone. Quick overview of how I installed ldap login:
Code:
# apt-get install libnss-ldap
# echo "session required pam_mkhomedir.so skel=/etc/skel/" >> /etc/pam.d/common-session
And added ldap to the end of these lines in /etc/nsswitch.conf:
Code:
passwd: compat ldap
group: compat ldap
shadow: compat ldap
This process has worked without a hitch on 9.10 dozens of times. So my question is, why are ldap and local users now incapable of using su across authentication mechanisms? For reference these are the error messages in /var/log/auth.log when trying to su to root from an ldap user:
Code:
Jun 14 16:17:07 server unix_chkpwd[6560]: check pass; user unknownJun 14 16:17:07 server unix_chkpwd[6560]: password check failed for user (root)
Jun 14 16:17:07 server su[6559]: pam_unix(su:auth): authentication failure; logname=ldapuser uid=2000 euid=2000 tty=/dev/pts/5 ruser=ldapuser rhost= user=root
Jun 14 16:17:09 server su[6559]: pam_authenticate: Authentication failure
Jun 14 16:17:09 server su[6559]: FAILED su for root by ldapuser
And the auth.log for trying to su to an ldap user from a local one:
Code:
Jun 14 17:18:18 server su[8473]: pam_unix(su:auth): authentication failure; logname=localuser uid=1000 euid=1000 tty=/dev/pts/0 ruser=localuser rhost= user=ldapuser
Jun 14 17:18:18 server su[8473]: Successful su for ldapuser by localuserJun 14 17:18:18 server su[8473]: + /dev/pts/0 localuser:ldapuser
Jun 14 17:18:18 server su[8473]: bad group ID `2000' for user `ldapuser': Operation not permitted
Here's what I want to do: install ubuntu on a laptop and then create a normal user so that the user could install the normal upgrades without using the root account (or getting root privileges via sudo).
I know that this can be done by adding the user to the admin group, but this has (at least) two bad side effects:
1. The user can use sudo to gain root access. (And then do everything: install or remove programs...)
2. The update-manager doesn't seem to appear in the panel. (In stead it opens in the background.)
I could easily make a script that downloads and installs the upgrades automaticly, but I'd like to give the user a chance to choose when to do all this. So that it's not done for example when the user is using slow mobile connection.