Quick and dirty user management service for Linux VMs?

10

4

Background
I have a home server running Debian, and a workstation that runs various VirtualBox VMs (mostly Linuxen but some Windows).

At the moment, I'm creating my main user account anew for every new Linux VM. I'd like to make use of a centralized user-management scheme instead, so I can just configure the new VMs for the directory technology and let them handle user lookups automatically.

The last time I worked with anything like this, NIS+ was still in fashion. I have a vague notion of what LDAP and Active Directory are, but no knowledge of how to configure them for what I want.

Question
What user-management/network-directory technology should I use for providing user accounts to my network?

  • The server must run on Debian Lenny.
  • Client configuration should be simple point-at-server-and-go.
  • I need an example configuration for one sample user account.
  • (nice-to-have) I may want to mount the user's home directory from the server.
  • (nice-to-have) The same configuration works with Windows clients.

quack quixote

Posted 2010-04-25T07:24:12.547

Reputation: 37 382

i know most LDAP/ActiveDirectory/NIS questions are on ServerFault already, but from a home-/power-user standpoint this might be better here. – quack quixote – 2010-04-25T07:44:20.470

I can give a thumbs up for LDAP with Linux and OS X, but I've not tried it with Windows. – Ignacio Vazquez-Abrams – 2010-04-25T08:04:43.103

Perhaps this can be a starting point http://www.debuntu.org/ldap-server-and-linux-ldap-clients I can't give a better answer, I have no clue as to how to go about this.

– Sathyajith Bhat – 2010-04-28T21:50:34.357

Answers

6

I tried to do this quite some time ago. OpenLDAP stored my user accounts and automounts, phpldapadmin was used to manage everything.

I can't comment on the current state of phpldapadmin, but at the time I used it it was pretty basic. What I liked about it though that it had simple templates to create different kind of LDAP entries (Unix/Samba accounts, automout directories, etc), so this made my life a lot easier because at first I had to create those entries manually and they would consist of quite a few fields with non-obvious names. Plus, phpldapadmin allowed me to just mess around in the database if that was needed (and I needed that quite often) and was easy to install.

Whenever I would setup a new machine I had to do three things to get everything working with LDAP:

  1. Make the system aware of my LDAP server by entering its IP in the file /etc/ldap/ldap.conf (I also had to install a package like openldap-utils to get the basic client functionality I needed).
  2. Tell PAM that it should to authenticate users against my LDAP server by editing a bunch of files in /etc/pam.d
  3. Tell the system where it could actually find the about UIDs, GIDs, automounts, etc. (only logging in is not enough, the system needs to know, for example, the name of the user, or to which groups he belongs) by installing and configuring a thing called libnss-ldap. For that I had to edit two files called libnss-ldap.conf and nsswitch.conf.

As I said it was quite some time ago that I used to use that, so maybe things are different now, or I forgot about some things/recall them wrong. I remember having some sort of script that made everything a little easier but still the whole thing wasn't really that straightforward.

Still, it worked pretty well and once you get the hang of it'll make things a lot easier if you're using many different machines with lots of users. All your configurations will be done in a central place and you'll instantly have them on every new machine.

rakete

Posted 2010-04-25T07:24:12.547

Reputation: 373

thanks for the response. i figured setting up the clients would be roughly what you describe. i'd like to see details on a basic server configuration, because i'm a heavy tweak-it-by-commandline user, but using a management tool like phpldapadmin is a good tip. welcome to super user! – quack quixote – 2010-05-08T01:10:38.630

btw, you say you used to use this kind of thing; did you migrate to something else or just nix your central-user-mgmt entirely? – quack quixote – 2010-05-08T01:12:14.323

2I used to do sysadmin stuff at my uni and my home was my testbed for stuff I did at work. At one point I just stopped being a total linux nerd with dozens of machines in my little apartment and just threw out all of them but a few and the need for my LDAP setup vanished. – rakete – 2010-05-08T01:29:35.623

heh. yeah, that makes sense. :) – quack quixote – 2010-05-08T02:48:40.523

Asked: 2010-04-25T07:24:12.547

Viewed: 2 217 times

Active: 2016-03-12T21:27:17.280