Fedora directory users - Jun 2005 - Automatically incrementing uidNumber

Greetings -

I''ve been moving right along with the new release of fedora-ds on rhel4
using the downloaded 7.1 rpm. I hoping that I just missed this, but is
there a way to automatically increment the uidNumber for posix accounts -
so when a new posix user gets created, the next uidNumber get''s
assigned
to the new user? I accomplished this with phpLdapAdmin and openldap -
phpLdapAdmin had function that would search for the highest uidNumber and
increment it by 1 and populate the uidNumber attribute. If this doesn''t
exist yet, is there any chance of making that a feature request - either
that or a uidNumber pool which keeps track of the last uidNumber used.

Thanks
Jeff

Jeff Falgout wrote:
>Greetings -
>
>I''ve been moving right along with the new release of fedora-ds on
rhel4
>using the downloaded 7.1 rpm. I hoping that I just missed this, but is
>there a way to automatically increment the uidNumber for posix accounts -
>so when a new posix user gets created, the next uidNumber get''s
assigned
>to the new user? I accomplished this with phpLdapAdmin and openldap -
>phpLdapAdmin had function that would search for the highest uidNumber and
>increment it by 1 and populate the uidNumber attribute. If this
doesn''t
>exist yet, is there any chance of making that a feature request - either
>that or a uidNumber pool which keeps track of the last uidNumber used.
>  
>
This sounds like a function of phpLdapAdmin, not the LDAP server.  I 
haven''t used phpLdapAdmin, but if it works with Fedora DS, then you 
should be able to use that feature as well.
>Thanks
>Jeff
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Rich Megginson said:
> Jeff Falgout wrote:
>
>>Greetings -
>>
>>I''ve been moving right along with the new release of fedora-ds
on rhel4
>>using the downloaded 7.1 rpm. I hoping that I just missed this, but is
>>there a way to automatically increment the uidNumber for posix accounts
-
>>so when a new posix user gets created, the next uidNumber get''s
assigned
>>to the new user? I accomplished this with phpLdapAdmin and openldap -
>>phpLdapAdmin had function that would search for the highest uidNumber
and
>>increment it by 1 and populate the uidNumber attribute. If this
doesn''t
>>exist yet, is there any chance of making that a feature request - either
>>that or a uidNumber pool which keeps track of the last uidNumber used.
>>
>>
> This sounds like a function of phpLdapAdmin, not the LDAP server.  I
> haven''t used phpLdapAdmin, but if it works with Fedora DS, then
you
> should be able to use that feature as well.

Any chance of making this a function of the console? I''d rather use the
console - as it does almost everything needed and then some. I haven''t
had
much luck getting phpLdapAdmin working with fedora-ds (I''ve had some
objectclass violations when creating new users - haven''t spent much
time
trying to figure that out as I like the console much better).

Jeff Falgout wrote:
>Rich Megginson said:
>  
>
>>Jeff Falgout wrote:
>>
>>    
>>
>>>Greetings -
>>>
>>>I''ve been moving right along with the new release of
fedora-ds on rhel4
>>>using the downloaded 7.1 rpm. I hoping that I just missed this, but
is
>>>there a way to automatically increment the uidNumber for posix
accounts -
>>>so when a new posix user gets created, the next uidNumber
get''s assigned
>>>to the new user? I accomplished this with phpLdapAdmin and openldap
-
>>>phpLdapAdmin had function that would search for the highest
uidNumber and
>>>increment it by 1 and populate the uidNumber attribute. If this
doesn''t
>>>exist yet, is there any chance of making that a feature request -
either
>>>that or a uidNumber pool which keeps track of the last uidNumber
used.
>>>
>>>
>>>      
>>>
>>This sounds like a function of phpLdapAdmin, not the LDAP server.  I
>>haven''t used phpLdapAdmin, but if it works with Fedora DS, then
you
>>should be able to use that feature as well.
>>    
>>
>
>
>Any chance of making this a function of the console? I''d rather use
the
>console - as it does almost everything needed and then some.
>
Ok, I see.  Sure.  I would love to get a list of features of other LDAP 
administration tools that are not supported by the Fedora DS console.
1) Support auto-increment of uidNumber (other attributes?  gidNumber?)
2) Support for shadowAccount host based access restriction (feature of 
DirectoryAdministrator)
>I haven''t had
>much luck getting phpLdapAdmin working with fedora-ds (I''ve had
some
>objectclass violations when creating new users - haven''t spent much
time
>trying to figure that out as I like the console much better).
>  
>
I''d like to get this working - can you post the error messages
you''re
seeing?  And access and errors log.
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

>>>This sounds like a function of phpLdapAdmin, not the LDAP server.  I
>>>haven''t used phpLdapAdmin, but if it works with Fedora DS,
then you
>>>should be able to use that feature as well.
>>>
>>Any chance of making this a function of the console? I''d rather
use the
>>console - as it does almost everything needed and then some.
>>
> Ok, I see.  Sure.  I would love to get a list of features of other LDAP
> administration tools that are not supported by the Fedora DS console.
> 1) Support auto-increment of uidNumber (other attributes?  gidNumber?)
> 2) Support for shadowAccount host based access restriction (feature of
> DirectoryAdministrator)
For gidNumber, are you thinking along the lines of the way a normal Red
Hat system creates a user, the same gid as the uid, vs a Suse box that
creates a user with a unique uid, but a common gid of 100 (users), I''m
all
for the Red Hat way - maybe a configurable option.

>
>>I haven''t had
>>much luck getting phpLdapAdmin working with fedora-ds (I''ve had
some
>>objectclass violations when creating new users - haven''t spent
much time
>>trying to figure that out as I like the console much better).
>>
>>
> I''d like to get this working - can you post the error messages
you''re
> seeing?  And access and errors log.
>
I''ll get working on this again and post the errors, schema, etc.


This is pretty cool stuff!!

> Ok, I see.  Sure.  I would love to get a list of features of other LDAP
> administration tools that are not supported by the Fedora DS console.
> 1) Support auto-increment of uidNumber (other attributes?  gidNumber?)
> 2) Support for shadowAccount host based access restriction (feature of
> DirectoryAdministrator)
>
>>I haven''t had
>>much luck getting phpLdapAdmin working with fedora-ds (I''ve had
some
>>objectclass violations when creating new users - haven''t spent
much time
>>trying to figure that out as I like the console much better).
>>
>>
> I''d like to get this working - can you post the error messages
you''re
> seeing?  And access and errors log.
>
A simple change in phpLdapAdmin allowed me to create a posix user in
fedora-ds. In the templates/creation directory, edit the file
new_user_template.php, search for ''value="gn"'' and
replace it with
''value="givenname"''.

I''m also using groupOfUniqueNames for authentication via pam - I had to
create a group using the custom template, selecting the groupOfUniqueNames
objectclass and then skipped adding members to the group until after the
object was created. When I tried to add members to the new group, the
template for groupofnames was loaded, not groupofuniquenames, so when you
add a member, it creates a value for the attribute member (not
uniqueMember). I hacked the file
templates/modification/group_of_names.php. Around line 21, " $attr_name
''member''; "  I replaced member with uniqueMember - a
hack, I know, but it
worked. Now I can create the initial member as a uniqueMember.

That''s as far as I''ve gotten.

Jeff

Thanks.  I''ve taken this information and created a How-To for 
phpLdapAdmin: http://directory.fedora.redhat.com/wiki/Howto:phpLdapAdmin

Jeff Falgout wrote:
>>Ok, I see.  Sure.  I would love to get a list of features of other LDAP
>>administration tools that are not supported by the Fedora DS console.
>>1) Support auto-increment of uidNumber (other attributes?  gidNumber?)
>>2) Support for shadowAccount host based access restriction (feature of
>>DirectoryAdministrator)
>>
>>    
>>
>>>I haven''t had
>>>much luck getting phpLdapAdmin working with fedora-ds (I''ve
had some
>>>objectclass violations when creating new users - haven''t
spent much time
>>>trying to figure that out as I like the console much better).
>>>
>>>
>>>      
>>>
>>I''d like to get this working - can you post the error messages
you''re
>>seeing?  And access and errors log.
>>
>>    
>>
>
>A simple change in phpLdapAdmin allowed me to create a posix user in
>fedora-ds. In the templates/creation directory, edit the file
>new_user_template.php, search for ''value="gn"''
and replace it with
>''value="givenname"''.
>
>I''m also using groupOfUniqueNames for authentication via pam - I
had to
>create a group using the custom template, selecting the groupOfUniqueNames
>objectclass and then skipped adding members to the group until after the
>object was created. When I tried to add members to the new group, the
>template for groupofnames was loaded, not groupofuniquenames, so when you
>add a member, it creates a value for the attribute member (not
>uniqueMember). I hacked the file
>templates/modification/group_of_names.php. Around line 21, " $attr_name
>''member''; "  I replaced member with uniqueMember - a
hack, I know, but it
>worked. Now I can create the initial member as a uniqueMember.
>
>That''s as far as I''ve gotten.
>
>Jeff
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Jeff Falgout wrote:
> Greetings -
> 
> I''ve been moving right along with the new release of fedora-ds on
rhel4
> using the downloaded 7.1 rpm. I hoping that I just missed this, but is
> there a way to automatically increment the uidNumber for posix accounts -
> so when a new posix user gets created, the next uidNumber get''s
assigned
> to the new user? I accomplished this with phpLdapAdmin and openldap -
> phpLdapAdmin had function that would search for the highest uidNumber and
> increment it by 1 and populate the uidNumber attribute. If this
doesn''t
> exist yet, is there any chance of making that a feature request - either
> that or a uidNumber pool which keeps track of the last uidNumber used.

Until this is supported in the console, you can use a command line tool 
I wrote:


http://netauth.com/~jacksonm/code/newuser.pl.txt


It supports uid uniqueness checking and specified or auto-incrementing 
uidnumber, as well as specified or auto-incrementing gidnumber.

It even hashes the user''s password before sending it over-the-wire, but
it doesn''t encrypt the bind password. If you have SSL turned on on your
LDAP server, you could just use stunnel or you could modify that script 
to use SSL. It''s pretty simple, just change this:

my $ldap    = Net::LDAP->new($SERVER)

to this:

my $ldap    = Net::LDAPS->new($SERVER)



BR,
Mike

-- 
LDAP Directory Consulting - http://www.netauth.com

Rich Megginson wrote:
> Ok, I see.  Sure.  I would love to get a list of features of other LDAP 
> administration tools that are not supported by the Fedora DS console.
> 1) Support auto-increment of uidNumber (other attributes?  gidNumber?)
> 2) Support for shadowAccount host based access restriction (feature of 
> DirectoryAdministrator)
I am the current maintainer of that Directory Administrator project, btw 
.. Perhaps DA could be modified to handle some FDS administration tasks.

I also do have some desire to work on the FDS console features, but not 
as long as it''s in Java!!! The only thing I have to do with Java is 
drinking 6 cups a day of it.


BR,
Mike

-- 
LDAP Directory Consulting - http://www.netauth.com

Mike Jackson wrote:
> Rich Megginson wrote:
>
>> Ok, I see.  Sure.  I would love to get a list of features of other 
>> LDAP administration tools that are not supported by the Fedora DS 
>> console.
>> 1) Support auto-increment of uidNumber (other attributes?  gidNumber?)
>> 2) Support for shadowAccount host based access restriction (feature 
>> of DirectoryAdministrator)
>
>
> I am the current maintainer of that Directory Administrator project, 
> btw .. Perhaps DA could be modified to handle some FDS administration 
> tasks.
Sure.  At least make sure it''s current functionality works well with
FDS.
>
> I also do have some desire to work on the FDS console features, but 
> not as long as it''s in Java!!! The only thing I have to do with
Java
> is drinking 6 cups a day of it.
Heh.
>
>
> BR,
> Mike
>