User management using LDAP and libuser

libuser is a collection of libraries and tools to manage users and groups under Linux or UNIX-like systems. libuser has several modules allowing to manage users and groups through different backends, like local (password and shadow) and LDAP (the LDAP backend has been somewhat unusable up to version 0.52).

The LDAP module, however, requires the user to supply a BIND_PW (password) for the BIND_DN (user) in order to authenticate against the LDAP directory server an perform the modifications. In automated deployment scenarios, it’s essential to be able to perform operations on to the LDAP directory server without asking the user for the password. Instead, the password used to authenticate against the LDAP directory server could be well stored in libuser’s configuration file, /etc/libuser.conf.

I’ve made a patch against libuser that implements a new configuration parameter for the LDAP module. This new parameter is named password, and specifies the password for the user binddn user.

Here is a sample of libuser’s configuration file, /etc/libuser.conf:

[defaults]
# The default (/usr/lib*/libuser) is usually correct
# moduledir = /your/custom/directory
skeleton = /etc/skel
mailspooldir = /var/mail
modules = ldap
create_modules = ldap
crypt_style = md5

[userdefaults]
LU_USERNAME = %n
LU_UIDNUMBER = 10000
LU_GIDNUMBER = %u
LU_HOMEDIRECTORY = /home/%n
LU_LOGINSHELL = /bin/bash

[groupdefaults]
LU_GROUPNAME = %n
LU_GIDNUMBER = 10000

[ldap]
# Setting these is always necessary.
server = ldap://directory.server.fqdn
basedn = dc=example,dc=com

# Setting these is rarely necessary, since it's usually correct.
userBranch = ou=People
groupBranch = ou=Groups

# Set only if your administrative user uses simple bind operations to
# connect to the server.
binddn = cn=Directory Manager
password = secret

The patched SRPM and diff patch can be obtained from here: libuser-0.52.5-1.el4.1

Advertisements

8 thoughts on “User management using LDAP and libuser

  1. A better aproach (IMHO) would be storing the password into a external file, like /etc/libuser.secret. This file permissions would be 600 (only readable by root). /etc/libuser.conf permission is 644 (users can read its contents, and so the password)

  2. Being a full-time mother of 3-month old baby. I was looking for an apportunity where I could earn from house while helping others in this area. Thanks for the info on this site. I have recently commenced my own online online community. I appreciate the experience and information on how to help people. This is a passion of mine.

  3. Hello, Neat post. There’s a problem along with your web site in web explorer, would check this? IE nonetheless is the market leader and a large component of folks will miss your wonderful writing due to this problem.

  4. Howdy would you mind sharing which blog platform you’re using? I’m going to start my own blog in the near future but I’m having a tough time choosing between BlogEngine/Wordpress/B2evolution and Drupal. The reason I ask is because your layout seems different then most blogs and I’m looking for something unique. P.S My apologies for being off-topic but I had to ask!

  5. Thank you for being my personal tutor on this topic. I actually enjoyed your article a lot and most of all appreciated how you actually handled the side I considered to be controversial. You’re at all times very sort in direction of readers really like me and help me in my living. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s