Linux – Quick and dirty user management service for Linux VMs

linuxuser-accountsvirtual machine

Background
I have a home server running Debian, and a workstation that runs various VirtualBox VMs (mostly Linuxen but some Windows).

At the moment, I'm creating my main user account anew for every new Linux VM. I'd like to make use of a centralized user-management scheme instead, so I can just configure the new VMs for the directory technology and let them handle user lookups automatically.

The last time I worked with anything like this, NIS+ was still in fashion. I have a vague notion of what LDAP and Active Directory are, but no knowledge of how to configure them for what I want.

Question
What user-management/network-directory technology should I use for providing user accounts to my network?

  • The server must run on Debian Lenny.
  • Client configuration should be simple point-at-server-and-go.
  • I need an example configuration for one sample user account.
  • (nice-to-have) I may want to mount the user's home directory from the server.
  • (nice-to-have) The same configuration works with Windows clients.

Best Answer

I tried to do this quite some time ago. OpenLDAP stored my user accounts and automounts, phpldapadmin was used to manage everything.

I can't comment on the current state of phpldapadmin, but at the time I used it it was pretty basic. What I liked about it though that it had simple templates to create different kind of LDAP entries (Unix/Samba accounts, automout directories, etc), so this made my life a lot easier because at first I had to create those entries manually and they would consist of quite a few fields with non-obvious names. Plus, phpldapadmin allowed me to just mess around in the database if that was needed (and I needed that quite often) and was easy to install.

Whenever I would setup a new machine I had to do three things to get everything working with LDAP:

  1. Make the system aware of my LDAP server by entering its IP in the file /etc/ldap/ldap.conf (I also had to install a package like openldap-utils to get the basic client functionality I needed).
  2. Tell PAM that it should to authenticate users against my LDAP server by editing a bunch of files in /etc/pam.d
  3. Tell the system where it could actually find the about UIDs, GIDs, automounts, etc. (only logging in is not enough, the system needs to know, for example, the name of the user, or to which groups he belongs) by installing and configuring a thing called libnss-ldap. For that I had to edit two files called libnss-ldap.conf and nsswitch.conf.

As I said it was quite some time ago that I used to use that, so maybe things are different now, or I forgot about some things/recall them wrong. I remember having some sort of script that made everything a little easier but still the whole thing wasn't really that straightforward.

Still, it worked pretty well and once you get the hang of it'll make things a lot easier if you're using many different machines with lots of users. All your configurations will be done in a central place and you'll instantly have them on every new machine.

Related Question