3. Using LDAP for User Accounts¶

Introduction¶

In an Unix system, all information about users is stored in the /etc/passwd file. It is a text file that all users are allowed to read, but only the superuser is allowed to edit it. Users' passwords are stored in the encrypted /etc/shadow file; this file is closed for reading and writing. Information about groups is stored in /etc/groups.

This method of storage has its limitations: user migration is rather complex, attributes lack flexibility, performance leaves much to be desired, etc. However, with PAM (Pluggable Authentication Module), you can easily integrate different authentication methods in your UNIX system, including LDAP (Lightweight directory Access Protocol).

Configure a Unix server¶

You can perform configuring by using the cl_setup tool included in the calculate-server package from calculate 2 utilities. To do this, type as root:

cl-setup unix

Once this done, the names of user accounts stored in LDAP server database and having system IDs, will be visible in the system.

Add and remove users¶

Note that after setting up the LDAP server as a repository for Unix users accounts should use the alternative commands to manage users.

Instead of usual commands: useradd (adduser), userdel, usermod, passwd, groupadd, groupdel, groupmod, you should use the alternative: cl-useradd, cl-userdel, cl-usermod, cl-passwd, cl-groupadd, cl-groupdel, cl-groupmod. The syntax of these commands will be largely the same as the original.

Example: adding a user named test

cl-useradd test unix

Example: changing the password of the user test

cl-passwd test unix

Note the unix option: it has to be appended to the command.