Re: Directory enabled distribution

To: Brian May <bam@snoopy.apana.org.au>, bcollins@debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Directory enabled distribution
From: Russell Coker <russell@coker.com.au>
Date: Wed, 10 Mar 1999 12:59:53 +0000
Message-id: <[🔎] 99031013120500.00540@lyta>
Reply-to: russell@coker.com.au
References: <[🔎] 19990307050933.7583.qmail@snoopy.apana.org.au>

On Sun, 07 Mar 1999, Brian May wrote:
>>Currently we have the ability to setup systems with LDAP based ns (ie,
>>passwd, account, hosts, aliases...NIS in a nutshell) and utilities to
>>utilize that. Pam_ldap enables authentication through the LDAP server
>>and nss_ldap enables lookups from native libc calls to the LDAP
>>server for hosts password info, group info, shadow info and more.
>>There is also a php3 module now that allows for direct access to an
>>LDAP server from scripts.
>
>I don't understand - in what way is LDAP better then NIS?

LDAP is the RFC standard interface to X.500 directory structures.  X.500
servers support quite large databases (millions of accounts) and are fully
hierarchical.  So you might have the following tree for a mid-sized ISP:
o=isp // Organization = isp-name
ou=customers // OrganizationalUnit (sub-level)
ou=cat1 // second ou under the first ou for customers with type 1 service
cn=Joe Bloggs // The common name is joe-bloggs for Joe's account.

We can also have:
cn=Russell Coker, ou=contractors, ou=staff, o=isp
to contain my information in the same database.
Then different servers can authenticate users based on this data and the part
in the tree where it occurs.  EG the DNS server will only allow accounts in the
"ou=staff, o=isp" branch to login.  The payroll server will only allow accounts
in "ou=managers, ou=staff, o=isp" to login.
Next we can chain multiple servers so for example if we have a co-loc server
they could run their own LDAP server for the branch "ou=Joe's company,
ou=customers, o=isp" and requests from outside could be chained to it.  So the
company could run their own LDAP server for their co-loc domain, and the ISPs
servers could authenticate users access to other services (EG maintaining a web
server on one of the ISP's servers) based on account information in the
customers LDAP server.
Openldap supports replication between servers (but not netsplit with multiple
updates on a single record as it doesn't support time-stamps in the replication
files AFAIK).  So you could have 2 openldap servers running with your account
data and if one of them went down (crash or hardware upgrade) the other could
keep on running.
LDAP is good for big and/or complex organizations.  Your typical home user
doesn't need it though.
LDAP is also a good thing to play with if you're a university student (as many
Debian developers are).  Many large companies are spending millions on large
LDAP servers and LDAP will look good on a resume.

--
I am in London and would like to meet any Linux users here.
I plan to work in London for 6 months and then I might move to some other
place where the pay is good.

Reply to:

Follow-Ups:
- Re: Directory enabled distribution
  - From: Brian May <bam@snoopy.apana.org.au>

References:
- Re: Directory enabled distribution
  - From: Brian May <bam@snoopy.apana.org.au>

Prev by Date: Re: sparc mail list
Next by Date: Re: Bug #32888: The old `base' package.
Previous by thread: Re: Directory enabled distribution
Next by thread: Re: Directory enabled distribution
Index(es):
- Date
- Thread