LDAP Users and Groups

From Webmin Documentation
Jump to: navigation, search

This page explains how to use an LDAP Server to store Unix Users and Groups.

Introduction to LDAP

LDAP is a network protocol that can be used to share databases of Unix users, groups and other information between multiple systems. Typically, a single LDAP Server will store a databases of users, which is then queried by multiple clients. If these clients also mount home directories via NFS (covered in NFS Exports and Disk and Network Filesystems), users will be able to login to any one of those systems with the same username and password. In many ways, LDAP is used similarly to NIS, covered on the NIS Client and Server page. If you are looking for a way to configure your system to use an existing LDAP server, see the LDAP Client page.

If your system is configured to use an LDAP server for storing Unix users and groups, this module can be used to manage users in an LDAP database. LDAP is often used as an alternative to NIS for synchronizing user information across multiple systems in a network, as a database can store additional attributes for each user in addition to the standard Unix username, shell and so on.

Naturally, an LDAP server must be running on your system or on some host on your network for this module to be used. In addition, one or most hosts must be configured to use LDAP for user and/or group authentication. Neither of these tasks can be done from within the module - they must be done manually, or with other Webmin modules for the purpose.

If you have Samba configured to use an LDAP server as well, this module can also create and manage the necessary password attributes for each LDAP user to be able to login to the Samba server as well. For this feature to work, your LDAP server must be configured to support the additional Samba attributes and object class for each user in its schema. Only when the Samba login? option is set to Yes will the Samba attributes be created.

The module can also create users on a Cyrus IMAP server, if it is set up to authenticate against the same LDAP database. It will create mailboxes for each new user, subscribe the user to his mailboxes and grant admin access to them. If an LDAP user is deleted, his IMAP mailbox will be as well. Currently this feature only works with the Cyrus IMAP server - it has not been tested and is probably not even necessary for other servers, which use users' home directories for mail storage.

Configuration

The most complex part of using this module is configuring it to talk to your LDAP server. By default, it will attempt to auto-detect the settings by looking at the LDAP client settings on your system, documented on the LDAP Client page. However, if this fails (perhaps because the LDAP server is not one of its own clients), you will need to configure the module manually as follows :

  1. On the module's main page, click on the Module Config link.
  2. In the LDAP server host field, enter the hostname of your LDAP server. If it is running on the same machine, enter localhost.
  3. If the LDAP server is using encryption, change the LDAP server uses TLS? option to Yes.
  4. In the Bind to LDAP server as field, enter the full DN of the administrative user for your LDAP server. This might be something like cn=Manager,dc=my-domain,dc=com.
  5. In the Credentials for bind name above field, enter the password for the above administrative DN.
  6. In the Base for users field, enter the DN under which all users can be found and which new users should be created. This is typically something like dc=Users,dc=my-domain,dc=com .
  7. Similarly, in the Base for groups field, enter the DN under which groups are found and which new groups should be created. This is typically something like dc=Groups,dc=my-domain,dc=com .
  8. Click the Save button.

Assuming that all your settings are correct, the module should now display a list of existing users and groups, with links to add new ones. From here on, it can be used exactly like the Users and Groups module.

Module Server Configuration Options

LDAP Users and Groups module

This module is essentially the same as the Users and Groups module. However, instead of modifying your systems /etc/passwd and /etc/group files, it talks to an LDAP Server (such as OpenLDAP) and modifies users in the server's database. At the moment, it assumes that you already have an LDAP server setup with base DN's created for your users and groups.

LDAP Users and Groups - Main screen

Create User

LDAP Users and Groups - Create User

Batch add

This form allows you to create, modify or delete many users at once from an uploaded or local text file. Each line in the file specifies one action to take, depending on its first field. The line formats are:

create:username:passwd:uid:gid:realname:homedir:shell:min:max:warn:inactive:expire
modify:oldusername:username:passwd:uid:gid:realname:homedir:shell:min:max:warn:inactive:expire
delete:username

In create lines, if the uid field is left empty, Webmin will assign a UID automatically. If the gid field is empty, Webmin will create a new group with the same name as the user. The username, homedir and shell fields must be supplied for every user - all other fields are allowed to be empty. If the passwd field is blank, no password will be assigned for the user. If it contains just the letter x, the account will be locked. Otherwise, the text in the field will be taken as the cleartext password and encrypted. In modify lines, an empty field will be taken to mean that the corresponding user attribute is not to be modified.