Some notes about LDAP for Unix user management:
Meaning of fields for objectClass posixAccount:
- uid contains the username
- uidNumber contains the numeric UID
- gidNumber should have the numeric GID
- cn should contain the user's full name (optional)
- homeDirectory and loginShell contain what you think they contain
- gecos contains the gecos from passwd (optional)
- userPassword contains
{crypt}
followed by the encrypted password from/etc/shadow
(md5 password hashes are ok as well) ({SASL}
is an interesting alternative) - sn is the surname (optional)
- givenName is the given name (optional)
Meaning of fields for objectClass posixGroup:
- gidNumber is the group id
- cn is the group name
- memberUID attributes contain posixAccount.uid values
For objectClass inetOrgPerson: what you put there can be used as if it were a vCard by mail programs and contact lists.
Now, the name of people could potentially be split in cn,givenName,sn,gecos and
displayName (possibly more): how would normal user tools deal with the
redundancy? To show a gecos field, pam_ldap
will search for a gecos field
first, then automatically fallback on building a gecos field out of the other
suitable info it finds. To show a name, sane programs try displayName first and
if it's not present they guess using the rest.
Then there is the issue of how to chose the dn
to identify users, groups and
so on. Users usually go in uid=$USERNAME,ou=People,$SUFFIX
, while groups would
usually go in cn=$GROUPNAME,ou=Groups,$SUFFIX
.
Should you need to create the People
and Groups
organizational units, this
could be the proper bit of LDIF:
dn: ou=$NAME,$SUFFIX
ou: $NAME
objectClass: organizationalUnit
To add fields that are not already part of a schema, one needs to create their own schema. To do that, one needs to first obtain (free of charge) a Private Enterprise Number that is used in various places in the schema definition. Making up your own one means risking conflicts if you eventually grow larger. But it is rarely needed, because for most things there are already schemas available.
Many thanks to Wouter and noshadow for allowing me to crudely extract all this content from their brains.