Ok, I've got a Samba/LDAP PDC built. I've got my groups added and even have users in those groups. But now I have a few administrative questions. If these questions have be simple answers, be gentle - I'm a newbie. 1). How do I/Can I script the installation of a generic password into these accounts? I'm looking to put some common password in for all users and then allow the users to change it once they log into the new server/domain. I don't see a method of doing so with 'smbldap-passwd.pl'. 2). I used the following command to add all of my users to the LDAP Directory: 'smbldap-useradd.pl -a -m -A 1 -G <group1>,<group2> >username<' This successfully created the users, their home folders and placed them in their groups, but it did not change the value for "pwdCanChange" in the LDAP directory, as shown by 'smbldap-usershow.pl'. I want the users to be able to change their own passwords - at any time - is there something I did wrong when creating the user account? 3). I want every user's password to expire on a 90-cycle. I think I see a slot in the LDAP directory for such an option - pwdMustChange, but by default is set to a huge number - 2147483647. First, what number does that represent? Seconds? Minutes? Days? Months? I've watched it for the past week and it hasn't changed. Which leads me to my next question, will changing this number to "O" actually cause the respective password to expire? Will setting this number to "90" (or what ever representation needed) allow a 90 day cycle? If not, what must I do to have this 90 day cycle? 4). By default, there are fields in the directory for "displayName" and "description" that are both set to "System User". Can I change either/both (at least "description") to what ever I want while creating the user account? I couldn't find a switch in 'smbldap-useradd.pl' to allow that. I guess I could script it using 'smbldap-usermod.pl', but would prefer it to be done as one step. -- Kevin L. Collins, MCSE Systems Manager Nesbitt Engineering, Inc.
NSC - NetworkServiceCenter
2003-Jun-03 08:57 UTC
[Samba] Samba+LDAP PDC - A few questions.
hi kevin,> 1). How do I/Can I script the installation of a generic password into > these accounts? I'm looking to put some common password in for all > users and then allow the users to change it once they log into the new > server/domain. I don't see a method of doing so with > 'smbldap-passwd.pl'.write your own shellscript that uses smbldap-useradd.pl, add the features you need and use this script to create user!> 2). I used the following command to add all of my users to the LDAP > Directory: > > 'smbldap-useradd.pl -a -m -A 1 -G <group1>,<group2> >username<' > > This successfully created the users, their home folders and placed them > in their groups, but it did not change the value for "pwdCanChange" in > the LDAP directory, as shown by 'smbldap-usershow.pl'. I want the users > to be able to change their own passwords - at any time - is there > something I did wrong when creating the user account?sorry, but i don't know smbldap-useradd.pl - i wrote my own admintools!> 3). I want every user's password to expire on a 90-cycle. I think I > see a slot in the LDAP directory for such an option - pwdMustChange, > but by default is set to a huge number - 2147483647. First, what > number does that represent? Seconds? Minutes? Days? Months? I've > watched it for the past week and it hasn't changed. Which leads me to > my next question, will changing this number to "O" actually cause the > respective password to expire? Will setting this number to "90" (or > what ever representation needed) allow a 90 day cycle? If not, what > must I do to have this 90 day cycle?this number is a unix timestamp - the seconds since 1.1.1970! the solution is: enable passwordsync and as program use a shellscript that creates the timestamp (90 days are 7776000 seconds) and insert this with ldapmodify into the attr pwdMustChange of the user! -> let DAYINFUTURE=$(/bin/date +%s)+7776000> 4). By default, there are fields in the directory for "displayName" and > "description" that are both set to "System User". Can I change > either/both (at least "description") to what ever I want while creating > the user account? I couldn't find a switch in 'smbldap-useradd.pl' to > allow that. I guess I could script it using 'smbldap-usermod.pl', but > would prefer it to be done as one step.sorry, but once again: i don't know smbldap-useradd.pl - i wrote my own admintools and they do what i want ;-) i hope it was a little help greetings thomas reisenbichler