*************************************** * Directory administrator README *************************************** Thank you for choosing Directory administrator. I sincerely hope you will find this application useful. My name is Manuel Amador (Rudd-O). I am the original author of this software. Please report any comments to amadorm@usm.edu.ec. The official Web site is http://diradmin.open-it.org/ Q: What is Directory administrator? A: Directory administrator is an LDAP POSIX user/group manager. That, in plain English, means that it will allow you to easily manage your Linux/UNIX users and groups residing in an LDAP database. It also manages organizational information, per-server/service access controls, and LDAP mail routing as supported by Sendmail and other LDAP-enabled mailers. Q: What is LDAP? What can I use it for? A: That question is an easy one, too. A directory is a centralized object storage server. LDAP is a lightweight directory protocol. UNIX and Windows systems can make use of a directory server to verify the users' credentials and to grant them access to the system. It makes sense to have a centralized store for credential information, but it gets better: you can also store your users' company information (such as e-mail address, PBX extension number, and the like). Nowadays, nearly every network service can authenticate against an LDAP directory (that includes Linux and other UNIX variants). So it works like this: * Set a directory up: install OpenLDAP and migrate authentication information into it (the MigrationTools from PADL can assist you with the task). * Install Directory administrator: you don't need to install it in the same computer as the directory server. * Set your workstations up to look up authentication information on your newly set-up directory server. This can be done using your operating system setup utilities (e.g., authdrake for Mandrake Linux, redhat-config-auth for Red Hat Linux). * Manage your users and groups via Directory administrator You can also set several other services up, and they will take advantage of the information residing on the directory server. LDAP has also replication and fault-tolerancy. This means you could have a global directory for all your users, constantly replicating between sites. Not only that, but it, just as NIS+, allows you to have unified user IDs and group IDs, effectively being a secure replacement to NIS+. This means that all your users will hold the same user IDs across servers and workstations. That is, another administrative nightmare has been obliterated. Q: Why didn't you use iPlanet Directory Server administrative suite? A: The big deal behind Directory Server is that I couldn't find any way of managing POSIX users and groups. POSIX users and groups are stored as any other user, but with a set of additional attributes, which iPlanet suite doesn't know about. So, an user created with iPlanet can't be used as a logon user account on a Linux machine. Nevertheless, a user created with Directory administrator on an iPlanet Directory Server CAN logon and be used on UNIX environments. Not only that, but I recommend Directory Server because of its configurability, access control policies (you can delegate administration with extreme control) and reliability. There are freely available tools for modifying and browsing a directory server, but none have the specific target of managing UNIX users and groups. Since LDAP is the perfect replacement for NIS+, this tool was the only thing missing. Q: How do I install and use it? A: Read the file INSTALL in this directory. Then open Directory administrator, create a connection profile, connect with administrator credentials and start managing your directory! Future tools will allow you to set up an LDAP server, migrate user accounts, and set a computer up to be a client for the LDAP server, in compliance to the POSIX standards and my drafts. Q: Are there competing projects? A: Yes. There is LinPlanet (linplanet.sourceforge.net). But I haven't used their software, their project page hasn't released any code, it also states that it's in pre-alpha state, and I personally am looking for an utility that is easier and faster to use, judging by the screenshots I saw. I am also doing a micro-extension to the standard, to allow computers participating of the directory to deny authentication, based on a set of attributes related to the server that user is logging to. There is LDAP Explorer. There is GUM. There is Ganymede. In some ways they do not perform Directory administrator's tasks.