[K12OSN] smbldap and webmin on Debian

Thu Nov 8 17:25:25 UTC 2007

On Wed, 2007-11-07 at 21:59 -0500, Rob Owens wrote:
> On Wed, Nov 07, 2007 at 12:28:27PM -0700, Craig White wrote:
> > On Wed, 2007-11-07 at 13:45 -0500, Rob Owens wrote:
> > > I have a home installation of Debian Etch and have successfully used the
> > > smbldap-installer scripts.  I was never successful in getting webmin to
> > > work properly as far as adding/modifying users.  Does anybody have any
> > > success stories or advice for me? 
> > > 
> > > I think I must be missing some important settings in the "LDAP users and
> > > groups" module configuration.  Even if somebody could tell me "yes, I
> > > use smbldap and webmin on debian etch" but offer no advice, that would
> > > at least give me hope...
> > ----
> > I use it extensively and have left the setup behind for people to
> > maintain in clients offices as well.  It is my primary tool for
> > maintaining users/groups.
> > 
> > My personal observation is that some people expect these tools to just
> > work without actually having to learn/understand/use/recover ldap.
> > 
> > You got questions...post them up.
> > 
> > Personally, I think that if you haven't read 'LDAP System
> > Administration' by Gerald Carter, and cannot add/modify/delete using
> > ldapadd/ldapmodify/ldapdelete, cannot search from command line tool
> > ldapsearch, cannot backup & restore using command line slapcat/slapadd
> > has no business committing their authentication system to LDAP because
> > they are certain to demonstrate to their co-workers how vulnerable they
> > are.
> > 
> 
> I pretty much agree with you.  I am actually better at doing LDAP at the command line, but I'm trying to learn the GUI method so that I can teach it to "textophobes".
----
my experience is that once you are clear with the command line
issues...setting up GUI is a snap.
----
>   And even though we might agree that an admin who relies too heavily on a GUI is a failure, I think I'm a failure if I can't get webmin set up!
----
I didn't say a failure...I said making a mistake.

Underlying authentication system of PAM
& /etc/passwd, /etc/group, /etc/shadow has all of the security
necessary.

LDAP is not now, nor has ever been a one plan fits all and all the parts
and pieces are handled for you.

Getting webmin set up should be a snap if you can authenticate, query,
add/modify/delete from command line ldap client tools.

If you have questions getting it setup - please ask.
----
> 
> I have the book you mentioned and I've read most of it.  I'll probably read it at least one more time before I retain it all.  I have not learned how to backup and restore yet, and that's definitely something I need to learn before going beyond my simple home setup.  TLS is the other one...I think I've got it working but I'm not sure how to verify that it is actually encrypting the traffic.
----
#tail -n 1 /etc/syslog.conf
local4.*                         /var/log/slapd.log

add the above to your syslog.conf and restart syslog service
add loglevel 256 or whatever to slapd.conf and restart ldap

you will note 'ssf factors' in log

ssf factor = 0 means no security

http://www.openldap.org/faq/data/cache/185.html
http://www.openldap.org/faq/data/cache/1256.html

Craig