[389-users] What are people using to manager user accounts?

brandon bjg at solv.com
Thu Oct 28 01:38:57 UTC 2010

  On 10/27/2010 11:12 AM, Orion Poplawski wrote:
> I'd be very interested to know what tools people are using to manage user
> accounts in the directory server.  Currently we are using a modified version
> of fdstools because we have a Posix + Samba environment, but would be
> interested in other solutions that may be out there.

I use GIR (Generalized Identity Replicator)--originally developed with 
Sun DS about 8 years ago. It was designed initially as a meta-directory 
server integrating Oracle users, flat passwd updates for non-LDAP hosts, 
Netscape/Sun/Redhat DS, AD and more. It has very simple and easy to use 
user management.  I just updated it and deployed it at a large 
government site. I believe there are some features newer to Fedora DS 
that it could use (like triggered updates), but right now it also 
handles things like groups and whatnot so AD sensitive applications also 
have the values they are looking for.

It is OSS, and I need to release a new version. It is written in Perl, 
uses an Abstract API for easy extensibility of unique data stores (if 
you are into perl programming), has an encrypted message bus, so if 
something is down it'll keep retrying to make an update, etc.  It uses a 
web front-end.

Currently, one GIR system manages three discrete directory structures, 
and synchronizes accounts with AD (limited to just locked/disabled 
status for now).  When you change a user's information/groups/etc in GIR 
it replicates to all directories (because we don't use passwords in AD 
it does not replicate there, but it could, if we did).


If you are interested in rolling up your sleeves, I could get you the 
3.0 version. It should run without much effort in Redhat/Centos, just 
contact me offline.

Oh, and because I'm still not happy with where FreeIPA is at yet, I 
actually have a simple, simple mechanism of creating a "host" computer 
account, and joining linux hosts using one account per host, instead of 
a general proxy account. There is a script "join-domain" that does all 
the LDAP config stuff, plus creates the host password (randomly 
generated) and inserts it into the tree. This largely came about because 
the built-in redhat auth scripts are broken when using only SSL with 
private CA certs, and I had to keep rewriting the ldap.conf file anyway, 
so why bother with the core OS stuff when it is broken. It is really 
just an interim solution until FreeIPA matures, but it is better than 
one generic proxy account for all hosts, and it is way better than 
anonymous binding (we also run our entire environment encrypted).


More information about the 389-users mailing list