# LDAP and *NIX user accounts

## VinzC

Hi again.

Still trying to put things together between LDAP and UNIX.

All the accounts that I add to my LDAP database are virtual accounts, right? They're virtual because they aren't defined the UNIX way, am I right?

But I also can allow these virtual accounts to log onto any machine in my network, is that correct? Then if I need to put permissions on a file, I suppose I have to map each LDAP user to a UNIX account, is this still correct?

Thanks.

----------

## vad3r

If you configure your servers to query LDAP for users and groups they behave like real users. You dont need a local->LDAP mapping. If you run "getent passwd" you should see LDAP and local users

----------

## bunder

 *vad3r wrote:*   

> If you run "getent passwd" you should see LDAP and local users

 

++ for nss_ldap and pam_ldap   :Very Happy: 

----------

## VinzC

Thanks for the explanation. Now how are permissions on files set? If I want to set permissions for a group or a user in LDAP on a given file, what will be the numeric UID? Does LDAP automatically create a numeric UID whenever a new user is added? Is it the purpose of nis.schema?

----------

## bunder

 *VinzC wrote:*   

> Thanks for the explanation. Now how are permissions on files set? If I want to set permissions for a group or a user in LDAP on a given file, what will be the numeric UID? Does LDAP automatically create a numeric UID whenever a new user is added? Is it the purpose of nis.schema?

 

the uid should be the same across all machines...  that's how ldap works... and you can specify by name or id (like normal).   :Wink: 

cheers

edit: as for adding users, i've never had any problems with uid's not being generated...  however there are a couple pitfalls...  @wheel users still need to be defined in /etc/group of the chosen machine...  some ldap editors add extra garbage not necessary for login (cosmetic?)...  chfn and chsh don't work, nor does useradd (well, it works for the local machine, but not ldap)...   :Shocked: 

----------

## VinzC

So LADP does automatically assign a numeric ID to every user added to the directory, do I have understood? (The examples I've seen all use an LDIF file and there's no numeric UID, hence my question.)

----------

## vad3r

The users you add to your LDAP directory need all the fields that a local account needs too. Here's a example LDIF:

```
dn: uid=bozo,ou=users,c=global,dc=example,dc=com

cn: BoZo the Clown

gecos: BoZo the Clown

gidNumber: 2000

homeDirectory: /home/bozo

loginShell: /usr/bin/bash

mail: bozo@example.com

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

shadowLastChange: 132239

shadowMax: 99999

shadowWarning: 7

sn: bozo

uid: bozo

uidNumber: 2000
```

----------

## VinzC

I understand but this is not the answer to my question. Please bear in mind that I *never* used LDAP, especially not in a UNIX environment. So my question is: do I have to manually specify the numeric user ID whenever I add a user to LDAP or does some tool (like useradd does) automatically assign that numeric ID?

EDIT: Or if you want to give me an example, post the command that you usually type to create a user account in an LDAP directory - if it's somehow meaningful.

----------

## VinzC

 *VinzC wrote:*   

> ... Does LDAP automatically create a numeric UID whenever a new user is added?

 

 *bunder wrote:*   

> edit: as for adding users, i've never had any problems with uid's not being generated... 

 

Nice but you didn't mention how they are created, which was my question in fact. Are there special commands for that? So will I have to care for the numeric IDs or are they created automatically?

----------

## bunder

 *VinzC wrote:*   

>  *VinzC wrote:*   ... Does LDAP automatically create a numeric UID whenever a new user is added? 
> 
>  *bunder wrote:*   edit: as for adding users, i've never had any problems with uid's not being generated...  
> 
> Nice but you didn't mention how they are created, which was my question in fact. Are there special commands for that? So will I have to care for the numeric IDs or are they created automatically?

 

i just used an ldap editor instead of injecting an ldif...  the programs (luma, etc) do it for you, you just push a button and it acquires a uid.

cheers

----------

## VinzC

Ok, I see now. Thanks.

----------

