Re: We need centralized accounts -- Any docs for ldap passwords?
Ben Collins <bcollins@debian.org> writes:
> Documentation is a little lacking in this area. The main reason for
> putting things like fstab, etc, into ldap is for diskless clients
> and large network configurations (think centralizing). If you don't
> see an immediate need for it, chances are you wont benefit from
> it. Currently the most common use of ldap for name services are
> shadow/passwd/group, mail aliases (exim can compile with ldap
> support, as well as sendmail), and hosts information.
OK, so it sounds like we just need shadow/passwd/group support, and as
far as I can tell we should be mostly good to go if we
1) firewall access to the ldap server from outside our subnet.
2) import etc/group and passwd via migrate_<foo>.pl
3) edit our nssswitch.conf as directed in /usr/doc/libnss-ldap/README
4) cross our fingers.
What I don't really know is how doing this interacts with the normal
mechanisms. I would presume that we can just use LDAP for user
accounts, and leave the system accounts in /etc/passwd, etc. I'm
guessing from the nsswitch entry it'll just fall back to that if LDAP
fails on a given lookup, but how does LDAP interact with adduser,
userdel, addgroup, /usr/bin/passwd, etc. Does it update the right
things, or do we have to do manual synchs?
If the latter, then it seems like it might be worth us considering not
using LDAP at all, and just whipping up some ssh synch thingy for
these bits...
> Hope this clears some things up.
It helps a lot. Thanks.
--
Rob Browning <rlb@cs.utexas.edu> PGP=E80E0D04F521A094 532B97F5D64E3930
Reply to: