Saturday, August 13, 2011

DIY: LDAP user management with LAM

We've tried a lot of LDAP administration tools, and they all pale in comparison to LDAP Account Manager. Here are some details about this powerful tool.

Ah, Lightweight Directory Access Protocol (LDAP), that feisty, pain in the keister system that can be a real joy to set up and administer. Seriously, someone needs to create a distribution based solely on LDAP such that you put the disk in the machine, boot up, install, and enjoy it without having to go through a boat trip on the River Styx to get it up and running.

Until then, there are a handful of tools designed to make life more tolerable for the LDAP admin. One of those tools is LDAP Account Manager (LAM).

Features

  • Management of various account types
  • Profiles for account creation
  • Account creation via file upload
  • Automatic creation/deletion of home directories
  • Setting file system quotas
  • PDF output for all accounts
  • Editor for organizational units
  • Schema browser
  • LDAP browser
  • Multiple configuration files
  • Multi-language support
  • Support for LDAP+SSL/TLS

Two versions: LAM and LAM Pro

LAM comes with the tool’s standard features. LAM Pro comes with the standard LAM features, plus User Self Service, Additional Account modules, Run Custom Scripts, Access Levels, Password Reset Page.

Look at the full feature matrix for the differences in features. The costs for LAM Pro are:
  • Single computer: New license $240 USD / Upgrade $180 USD
  • Company license: New license $800 USD / Upgrade $600 USD

Installing LAM

Beyond having LDAP installed, the requirements for a LAM installation are:
  • Apache webserver (SSL recommended) with PHP module (PHP 5 >= 5.2.4). Other modules for Apache include: ldap, gettext, xml, and optional mcrypt.
  • Some LAM plugins may require additional PHP extensions.
  • Perl (optional, needed only for lamdaemon).
  • OpenLDAP >2.0.
  • A web browser that supports CSS2 and JavaScript (The Chrome browser has a problem displaying some of the pages correctly.)
Installation is quite simple and well documented (on a per-operating system case). After the installation is complete, point your browser to http://ADDRESS_TO_LAM_SERVER/lam and you should see the LAM login page. By default, the user credentials are:
  • user: admin
  • password: lam
Be sure to change the master password immediately upon login.

Using LAM

After you log in to LAM, you’ll see the main window, which is where you’ll do all aspects of LDAP account management (Figure A).
Figure A

You can even add Samba domains from within LAM. (Click the image to enlarge.)
To see how simple LAM is to use, click the Add User button. From the Add User window (Figure B), various user types can be added. You’ll notice that regardless of type the minimum that can be entered for a user is the lastname field. This is standard operating procedure for LDAP.
Figure B

A sample of the Add User window for the UNIX type. (Click the image to enlarge.)

Various features or warnings

  • If you need to edit OU entries, browse the schema, edit the profile, run the test, etc. and click the Tools link. Use caution when editing any of the profiles or OU entries.
  • The Tree View (Figure C) might appeal to many old-school LDAP users because of its more familiar layout.
Figure C

You can see everything laid out in reference to its standard LDAP organization. (Click the image to enlarge.)
  • You should utilize the PDF feature. It allows you to download PDF documents of users, groups, hosts, etc.
  • The server information will give you: Managed Suffixes, LDAP Version, Config suffix, Schema suffix, and SASL mechanisms.

Bottom line

All of the tools I have used that promised to make LDAP easier have paled in comparison to LAM. This web-based system can have any LDAP admin, regardless of experience, working serious magic with their LDAP accounts.

Plus, when you’re on a tight budget, deploying and managing LDAP (over Active Directory) will save some serious cash. And anyone with a DIY mindset will appreciate the flexibility of LDAP, but not every DIYer wants to have to take the time to learn to manage LDAP accounts from the command line.

Get more IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free newsletters.

No comments:

Post a Comment