LDAP Users and Groups

This page explains what an LDAP server is, and how it can store Unix users and groups.

Introduction to LDAP

LDAP is a network protocol that can be used to share databases of Unix users, groups and other information between multiple systems. Typically, a single LDAP server will store a databases of users, which is then queried by multiple clients. If these clients also mount home directories via NFS (covered in NFSExports and DiskAndNetworkFilesystems), users will be able to login to any one of those systems with the same username and password. In many ways, LDAP is used similarly to NIS, covered on the NISClientAndServer? page. If you are looking for a way to configure your system to use an existing LDAP server, see the LDAPClient page.

The LDAP Users and Groups module

This module is essentially the same as the Users and Groups module, covered on the UsersAndGroups page. However, instead of modifying your systems /etc/passwd and /etc/group files, it talks to an LDAP server (such as OpenLDAP? ) and modifies users in the server's database. At the moment, it assumes that you already have an LDAP server setup with base DNs created for your users and groups.

The LDAP Users and Groups module

Configuring the module

The most complex part of using this module is configuring it to talk to your LDAP server. By default, it will attempt to auto-detect the settings by looking at the LDAP client settings on your system, documented on the LDAPClient page. However, if this fails (perhaps because the LDAP server is not one of its own clients), you will need to configure the module manually as follows :

1. On the module's main page, click on the Module Config link.
2. In the LDAP server host field, enter the hostname of your LDAP server. If it is running on the same machine, enter localhost.
3. If the LDAP server is using encryption, change the LDAP server uses TLS? option to Yes.
4. In the Bind to LDAP server as field, enter the full DN of the administrative user for your LDAP server. This might be something like cn=Manager,dc=my-domain,dc=com.
5. In the Credentials for bind name above field, enter the password for the above administrative DN.
6. In the Base for users field, enter the DN under which all users can be found and which new users should be created. This is typically something like dc=Users,dc=my-domain,dc=com .
7. Similarly, in the Base for groups field, enter the DN under which groups are found and which new groups should be created. This is typically something like dc=Groups,dc=my-domain,dc=com .
8. Click the Save button.

Assuming that all your settings are correct, the module should now display a list of existing users and groups, with links to add new ones. From here on, it can be used exactly like the Users and Groups module, documented on the UsersAndGroups page.

-- JamieCameron - 29 Mar 2007