Re: We need centralized accounts -- Any docs for ldap passwords?
On 31 May 1999, Rob Browning wrote:
> OK, so it sounds like we just need shadow/passwd/group support, and as
> far as I can tell we should be mostly good to go if we
>
> 1) firewall access to the ldap server from outside our subnet.
> 2) import etc/group and passwd via migrate_<foo>.pl
> 3) edit our nssswitch.conf as directed in /usr/doc/libnss-ldap/README
> 4) cross our fingers.
Well, it seems to work well for me (though so far only on a test machine).
>
> What I don't really know is how doing this interacts with the normal
> mechanisms. I would presume that we can just use LDAP for user
> accounts, and leave the system accounts in /etc/passwd, etc.
That's a logical thing to do. You might also want to set mail-clients use
this ldap for mail address searching.
> I'm
> guessing from the nsswitch entry it'll just fall back to that if LDAP
> fails on a given lookup, but how does LDAP interact with adduser,
> userdel, addgroup, /usr/bin/passwd, etc. Does it update the right
> things, or do we have to do manual synchs?
libpam-ldap will allow password change. The rest have to be done manually
(or through some customized software. I am considering Ganymede.)
Although there is a nice package pam-mkhomedir that will automatically
create homedirs (and copy /etc/skel stuff) if it does not exist.
>
> If the latter, then it seems like it might be worth us considering not
> using LDAP at all, and just whipping up some ssh synch thingy for
> these bits...
You'll sure have to weight various pro and cons of both approaches. Ldap
will just allow more things to use it for.
Sergey.
Reply to: