also sprach nate <debian-user@aphroland.org> [2002.10.09.1105 +0200]:
> be aware that openldap's "mirroring" is one-way master->slave not
> slave->master. All updates are required to be performed on the
> master. You can do the updates on the slave, but the commands are
> just passed transparently to the master(cleartext) to be processed
> on the master, then propogated back to the slave.
this sounds fine, as long as there is an easy way to promote a slave
to the master. i actually like this way of replication.
> I would reccomend for best security to only authenticate off the
> slave servers, and do not setup referrers on the slaves. That
> way all of the data accessable by the servers is read only. Worst
> case is the slave perhaps can get curroption but that won't affect
> the master.
this is an interesting idea that i will keep in mind.
> > 2. Move user management to the LDAP tree. Ideally, I want /etc/passwd
> > to contain no user but root and the various other defaults that Debian
> > installs. All users for all systems should be placed in
> > a global LDAP tree, with each user's record specifying what systems
> > s/he may log in to.
>
> I've done this. infact I've gone farther by putting all the default
> accounts in ldap too(Even though they aren't really used through ldap).
i don't want that. i want all accounts that i add to be in LDAP and to
have /etc/passwd be managed by Debian. Note that this applies to
groups as well, naturally.
> only way I can think of to have seperate users is to set the 'mail only'
> accounts to have a shell of /dev/null. Or perhaps something else
> like /usr/local/bin/bash, and only make /usr/local/bin/bash available on
> those systems which you want these users to login to. the rest of the
> systems would have no such file.
this sounds like a very unflexible hack. i suppose i could somehow
tweak pam_ldap or an sql pam module to do this...
> postfix can handle it all, what you use for IMAP/POP3 is not important,
> postfix will translate the LDAP account into a local user account,
> the MDA need not know LDAP even exists.
... except that I actually would prefer to have mail-only users not
have local accounts. all they need, after all, is an IMAP hierarchy.
no need for a homedirectory. Then again, the homedirectory approach
will be simpler...
> > 4. Put major user configuration items (like .forward, spamassassin)
> > into the LDAP tree. I am sure postfix can handle this particular one
> > somehow, and one can probably hack solutions up for other proggies.
>
> This I have never tried, though possible, I don't really see any
> advantage to doing it over using a distributed filesystem like AFS
> which you mention your planning on using ?
Mainly because I want people who don't know what a shell is (about 85%
of the users) to have a simple web frontend for configuration. And
before I make modules for .forward and modules for .spamassassin, i'd
much rather just give them their LDAP subtree for complete access. it
scales better.
> > 5. Put major system configuration (postfix, bind9, apt, etc.) into the
> > LDAP tree.
>
> haven't tried this either myself. I thought about doing DNS in
> LDAP, I've read about it, but my DNS zone files are setup so nicely..
> so I haven't tried it.
note that this is step 5. so maybe in five years i'll get to it ;^>
> as for relational database, I am not certain what you mean, but
say i have the following table of users with the systems that they may
login to:
1 peter { time, gnome, piper, wall }
2 hans { seamus, gnome, diamond }
3 anna { mother, diamond, wall }
and also a table of systems:
1 time
2 gnome
3 piper
4 wall
5 seamus
6 diamond
7 mother
in a relational database, the users' table would then look like this:
1 peter { 1, 2, 3, 4 }
2 hans { 5, 2, 6 }
3 anna { 7, 6, 4 }
which has the advantage that information is not duplicated; if
i rename 'gnome' to 'albatros', then i only need to edit one entry.
i am simply wondering if this can be done in ldap.
> if your referring to host based authentication yes you can do this,
> I have not updated my LDAP howto on how to do it but its easy:
>
> the LDAP entry needs to have an objectClass: account
>
> then create a 'host' entry. e.g.
>
> host: mail35.mydomain.com
>
> 1 host entry per host that user is allowed to login to.
>
> then in /etc/pam_ldap.conf set this:
> pam_check_host_attr yes
cool. this precisely addresses the problem of restricting specific
users to specific hosts.
> > Or would PostgreSQL be a better albeit not as performant choice in the
> > first place?
>
> LDAP I think is the way to go for the majority of the stuff, much
> of the software and support is already out there.
yes, that's my impression.
> storing files in LDAP is possible(i've done it through netscape roaming)
> but its by no means easy(IMO), I think you should start basic then
> look into the file storing stuff later.
i wasn't looking for file storage (yet), but it might happen some day.
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
3 kinds of people: those who can count & those who can't.
Attachment:
pgpAMnhRUt8El.pgp
Description: PGP signature