A Little LDAP Progress


I'm trying to move forward with the plan I outlined the other day. In short I want to use LDAP to simplify my home network of five computers and six users. I haven't got as far as setting up a login yet but I have got the LDAP server running on one of the computers (named copper) that's running OpenSuse 10.2. Today I just want to talk about the steps I've taken to experiment at getting something going. I'm learning this as I go and these are just notes to help remember how I got to where I am. If they help you too then that's great.

Getting the Server and a Database

I installed the OpenLDAP server package via Yast. I also installed a package that allows you to manage an OpenLDAP server through Yast. So when I closed Yast and started it up again, in the Network Services section there's an LDAP Server item that lets me set stuff up through a GUI. I've had mixed results with this sort of tool in Suse. The NFS server tool is fine but the Apache tool in Yast is terrible. I find a GUI easier with something new to me and a config file easier once I'm familiar with it. So I poked around in the Yast LDAP Server configuration tool for a while. I had to click Configure... then Add Database since I have no database for LDAP yet. To create the database, it needs to know the Base DN. Every example I could find was based on web sites or a corporation with one website. If I were to use latenightpc.com then I should use "dc=latenightpc, dc=com" as the Base DN. But this is at home, it doesn't have anything to do (directly) with latenightpc.com so for a first try I just used the name of the computer, copper. So I filled in "dc=copper" and entered an administrator password. When I hit Okay, the tool showed dc=copper as an available database. Great. I pressed Finish and I'm back to Yast. Feels somehow... anticlimactic. Yast also has an LDAP Browser, so I decided to try that now that I have an LDAP server running. I didn't get a whole lot out of the one in Yast but that could be because I'm an amateur. Once the database has some information in it maybe it'll be more obvious but I couldn't figure out how to create new stuff with it.

Web-based LDAP Administration with phpLDAPadmin

Since I spend a lot of time on computers in different places, I decided to try phpLDAPadmin. It was pretty easy to install, I just muddled around in the config file after copying the files to my web root. To start using phpLDAPadmin in a meaningful way, I had to authenticate as the database administrator. That means dealing with the funny-looking distinguished names. The Administrator name has to be entered as cn=Administrator,dc=copper with no spaces. After logging in I could see the LDAP database on the left pane but all it has in it is a root node, called copper. I decided that creating User Accounts would be a good place to start. I got this idea because phpLDAPadmin lists all the schema that it knows about when you try to create a new object.

Finally making a User Account

The User Account is a schema meant to correspond to a user's access rights on a computer. So I tried to create a User Account several times and failed. Then I realized that it had nowhere to get the required user group ID from. When I create a user on the computer (from the shell), the computer already knows about all the defaults for new users. LDAP doesn't know that. So I created a "Posix Group -SUSE" called 'users' and it worked - the gid is set automatically but it can be changed later. A quick way to get the GID for a group is ls then ls -n in the shell. You can look at the group named in one list then the corresponding group number in the next list. My users group has gid 100. So in phpLDAPadmin, I clicked the + by the new users group then clicked the "Create new entry here" link. Each open group shows a create item like this and you can tell which node in the tree it belongs to by the indentation level. I created a User Account and this time it worked. It kind of makes sense since users must be in groups but a Linux user can be a member of many groups. I don't yet know how membership in multiple groups that can be represented in LDAP. I I read a little bit of the RFC on LDAP Schema for User Applications to help me understand what Schema are in LDAP.

Wrapping Up

After that I tried adding a couple address book items but so far it's not making organized sense. I think I have to evaluate what shape the tree should be for LDAP and find out how different objects can refer to each other. Right now I know that copper shouldn't be the root node. User groups and accounts on the machine named copper should be represented by child nodes of the LDAP object copper. Maybe there's an arrangement that has a subtree of computers with their associated groups and user accounts in them and another subtree with people in it. I do eventually want to correctly include an Address Book for each user so that it can be read by Thunderbird and other applications but that's still a long way off. Before I get there I have to also figure out how to have contact information that may or may not be tied to a user. For example, I'd like my daughter's email address in my list of contacts and she is a person with an account. My mom should be in the list of contacts but she's not a person with a user account. The Schema so far don't seem flexible enough for this but I'm sure that there's a way.
Your rating: None

hey so did you ever manage to work out how to combine user accounts + addressbooks?

Wow, it's been 7 month but sorry, nothing yet. I put LDAP on the backburner for a little while but I will get back to it eventually.