Results 1 to 7 of 7

Thread: LDAP Authentication: Account Mangement

  1. #1
    Join Date
    Jun 2011
    Beans
    22

    Question LDAP Authentication: Account Mangement

    I have two questions concerning PAM and authenticating against LDAP. I am trying to make it so that the creation and deletion of user accounts requires little effort on the admins part.

    My first question is their a way that I can delete the user's home directory automatically when they are removed from LDAP?

    The second question is there a way to run a script when the user first logins? The purpose of the script is to move files to the user's home directory to help them get started.
    Last edited by dr1134; December 19th, 2012 at 02:12 PM.

  2. #2
    Join Date
    Jun 2011
    Beans
    22

    Re: LDAP Authentication: Account Mangement

    I solved my second question using /etc/skel directory. Now all I need is to find out how auto delete user's home folders
    Last edited by dr1134; December 24th, 2012 at 11:26 PM.

  3. #3
    Join Date
    Apr 2007
    Location
    Glasgow
    Beans
    308
    Distro
    Ubuntu

    Re: LDAP Authentication: Account Mangement

    A common way to do this in most UNIX environments is the sysadmins create a script for handling all actions required around adding or removing a user specific to that environment or organisation.

    With Ubuntu you don't really need to roll your own - it has always come with one of these scripts out of the box (adduser / deluser - configured via the /etc/adduser.conf and /etc/deluser.conf files respectively). You can add extra commands to them (check the man pages, your commands go in a file under /usr/local/bin) so they allow you to cover most use cases.

    Whether you reuse these or roll your own is up to you, but in case it helps, here are some common tasks performed in a custom deluser:

    • Archive the user's home directory (zip it and move it, or just chmod a-rwx it)
    • Delete any files owner by that user in any /tmp, /var/tmp or /scratch partitions
    • Disable any cron or at jobs
    • Lock the account password, remove any ssh keys


    These actions can become more involved in some environments: e.g. your users home dirs are nfs mounted and you can only do the home dir archiving from a specific host which is able to mount the nfs share with no_root_squash, but hopefully the ideas above are enough to get you going.

  4. #4
    Join Date
    Jun 2011
    Beans
    22

    Re: LDAP Authentication: Account Mangement

    Ok so if I understand you, I can use deluser to also delete the users ldap entry, yes?

  5. #5
    Join Date
    Jan 2011
    Beans
    132

    Re: LDAP Authentication: Account Mangement

    I would recommend you install the ldapscripts package and use those. This is what I use and they make life a lot easier for working with ldap accounts. Look in Chapter 7 Section 1 "OpenLDAP Server" subsection 1.11 "User and Group Management" of the Ubuntu Server guide. Hopes this helps.

  6. #6
    Join Date
    Jun 2011
    Beans
    22

    Re: LDAP Authentication: Account Mangement

    I tried using LDAP Scripts but the problem with it is that it is not playing ball with how I have my LDAP setup for users(Posix Group then Posix Account). So what I will do is just delete the LDAP entry and then the user.

  7. #7
    Join Date
    Jan 2011
    Beans
    132

    Re: LDAP Authentication: Account Mangement

    Really, I have mine setup with PosixGroup and PosixAccount and I have no issues. I also have other objectclasses in the entries but I have posixAccount in there and have no issues. There is an entry in the deluser.conf that would force deluser to automatically delete the user's home directory. So just try that and see what happens. I use a ldapadduser template and modified it so when I created ldapusers and could customize what fields get put into the ldap records.
    Last edited by ranger12; December 27th, 2012 at 10:05 PM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •