Section 15.6. The LDAP Account Manager


15.6. The LDAP Account Manager

The LDAP Account Manager (LAM) is an application suite that has been written in PHP. LAM can be used with any Web server that has PHP4 support. It connects to the LDAP server either using unencrypted connections or via SSL/TLS. LAM can be used to manage Posix accounts as well as SambaSAMAccounts for users, groups, and Windows machines (hosts).

LAM is available from the LAM[1] home page and from its mirror sites. LAM has been released under the GNU GPL version 2. The current version of LAM is 0.4.9. Release of version 0.5 is expected in the third quarter of 2005.

[1] <http://sourceforge.net/projects/lam/>

Requirements:

  • A web server that will work with PHP4.

  • PHP4 (available from the PHP[2] home page.)

    [2] <http://www.php.net/>

  • OpenLDAP 2.0 or later.

  • A Web browser that supports CSS.

  • Perl.

  • The gettext package.

  • mcrypt + mhash (optional).

  • It is also a good idea to install SSL support.

LAM is a useful tool that provides a simple Web-based device that can be used to manage the contents of the LDAP directory to:

  • Display user/group/host and Domain entries.

  • Manage entries (Add/Delete/Edit).

  • Filter and sort entries.

  • Store and use multiple operating profiles.

  • Edit organizational units (OUs).

  • Upload accounts from a file.

  • Is compatible with Samba-2.2.x and Samba-3.

When correctly configured, LAM allows convenient management of UNIX (Posix) and Samba user, group, and windows domain member machine accounts.

The default password is "lam." It is highly recommended that you use only an SSL connection to your Web server for all remote operations involving LAM. If you want secure connections, you must configure your Apache Web server to permit connections to LAM using only SSL.

APACHE CONFIGURATION STEPS FOR LAM

1.

Extract the LAM package by untarring it as shown here:

root#   tar xzf ldap-account-manager_0.4.9.tar.gz 

Alternatively, install the LAM DEB for your system using the following command:

root#   dpkg -i ldap-account-manager_0.4.9.all.deb 

2.

Copy the extracted files to the document root directory of your Web server. For example, on SUSE Linux Enterprise Server 9, copy to the /srv/www/htdocs directory.

3.

Set file permissions using the following commands:

root#   chown -R wwwrun:www /srv/www/htdocs/lam root#   chmod 755 /srv/www/htdocs/lam/sess root#   chmod 755 /srv/www/htdocs/lam/tmp root#   chmod 755 /srv/www/htdocs/lam/config root#   chmod 755 /srv/www/htdocs/lam/lib/*pl 

4.

Using your favorite editor create the following config.cfg LAM configuration file:

root#   cd /srv/www/htdocs/lam/config root#   cp config.cfg_sample config.cfg root#   vi config.cfg 

An example file is shown in Example 15.6.1. This is the minimum configuration that must be completed. The LAM profile file can be created using a convenient wizard that is part of the LAM configuration suite.

5.

Start your Web server then, using your Web browser, connect to LAM[3] URL. Click on the the Configuration Login link then click on the Configuration Wizard link to begin creation of the default profile so that LAM can connect to your LDAP server. Alternately, copy the lam.conf sample file to a file called lam.conf then, using your favorite editor, change the settings to match local site needs.

[3] <http://localhost/lam>

An example of a working file is shown here in Example 15.6.2. This file has been stripped of comments to keep the size small. The comments and help information provided in the profile file that the wizard creates is very useful and will help many administrators to avoid pitfalls. Your configuration file obviously reflects the configuration options that are preferred at your site.

It is important that your LDAP server is running at the time that LAM is being configured. This permits you to validate correct operation. An example of the LAM login screen is provided in Figure 15.6.

Figure 15.6. The LDAP Account Manager Login Screen


The LAM configuration editor has a number of options that must be managed correctly. An example of use of the LAM configuration editor is shown in Figure 15.7. It is important that you correctly set the minimum and maximum UID/GID values that are permitted for use at your site. The default values may not be compatible with a need to modify initial default account values for well-known Windows network users and groups. The best work-around is to temporarily set the minimum values to zero (0) to permit the initial settings to be made. Do not forget to reset these to sensible values before using LAM to add additional users and groups.

Figure 15.7. The LDAP Account Manager Configuration Screen


LAM has some nice, but unusual features. For example, one unexpected feature in most application screens permits the generation of a PDF file that lists configuration information. This is a well thought out facility. This option has been edited out of the following screen shots to conserve space.

When you log onto LAM the opening screen drops you right into the user manager as shown in Figure 15.8. This is a logical action as it permits the most-needed facility to be used immediately. The editing of an existing user, as with the addition of a new user, is easy to follow and very clear in both layout and intent. It is a simple matter to edit generic settings, UNIX specific parameters, and then Samba account requirements. Each step involves clicking a button that intuitively drives you through the process. When you have finished editing simply press the Final button.

Figure 15.8. The LDAP Account Manager User Edit Screen


The edit screen for groups is shown in Figure 15.9. As with the edit screen for user accounts, group accounts may be rapidly dealt with. Figure 15.10 shows a sub-screen from the group editor that permits users to be assigned secondary group memberships.

Figure 15.9. The LDAP Account Manager Group Edit Screen


Figure 15.10. The LDAP Account Manager Group Membership Edit Screen


The final screen presented here is one that you should not normally need to use. Host accounts will be automatically managed using the smbldap-tools scripts. This means that the screen Figure 15.11 will, in most cases, not be used.

Figure 15.11. The LDAP Account Manager Host Edit Screen


One aspect of LAM that may annoy some users is the way it forces certain conventions on the administrator. For example, LAM does not permit the creation of Windows user and group accounts that contain spaces even though the underlying UNIX/Linux operating system may exhibit no problems with them. Given the propensity for using upper-case characters and spaces (particularly in the default Windows account names) this may cause some annoyance. For the rest, LAM is a very useful administrative tool.

The next major release, LAM 0.5, will have fewer restrictions and support the latest Samba features (e.g., logon hours). The new plugin-based architecture also allows management of much more different account types like plain UNIX accounts. The upload can now handle groups and hosts, too. Another important point is the tree view which allows browsing and editing LDAP objects directly.



    Samba-3 by Example. Practical Exercises to Successful Deployment
    Samba-3 by Example: Practical Exercises to Successful Deployment (2nd Edition)
    ISBN: 013188221X
    EAN: 2147483647
    Year: 2005
    Pages: 142

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net