JP Toto on Sat, 9 Nov 2002 10:43:07 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Centralized Directory


Im working on getting rid of Active Directory at home and going to OpenLDAP (for my linux clients). So far I've got my gentoo server running slapd and I can connect to it with a graphical config client to add entries. Im not completely done setting it all up and Im only partially into the OpenLDAP docs (you're right Gabe, they are so-so) but so far I haven't had any luck getting RedHat 8 to authenticate against it. Im not done putzing around and I want to get it working so I'll report my results back when I do, Chris. Meantime... if anyone finds any GOOD easy to READ docs for practical OpenLDAP setup/usage don't hesitate to post a link here :-)

Cheerios, - JP

Bradley Molnar wrote:
D'oh, don't tell me that openldap is that hard to configure, a bunch of us
are about to try to use it to replace a very broken NIS domain.

The problem we ran into with the NIS was, when the server died suddenly, the
whole set-up would refuse to boot.  Since someone lost the solaris disks...I
have had to replace solaris with another OS b/c we needed them to boot.

The only problem I can see with NIS is what we had happen -- since it (by
default I believe) mounts the user's home directory from the server on the
local machine, if something breaks on the server end, you have a bunch of
clients that have no users (some of the solaris boxes wouldn't fully boot --
and the root password left with a professor who left last year).

If someone knows how to do this easily (make user directories mount over the
network on logon), I would love to know how to set it up.

If not, in a couple of days, I will know how hard/easy it is to set up an
ldap using openldap (it probably helps that I was able to copy a friends
config files).

For what it's worth, I was talking with the Redhat guys when they were at
Ursinus, and, they are planning on using openldap for future versions to do
the logon stuff for big networks.  They are going to be writing some of
their own software (graphical, of course) to make it nice and easy, as well
as migration tools.

Just a FYI

-b

-----Original Message-----
From: plug-admin@lists.phillylinux.org
[mailto:plug-admin@lists.phillylinux.org]On Behalf Of gabriel
rosenkoetter
Sent: Saturday, November 09, 2002 3:13 AM
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Centralized Directory


On Fri, Nov 08, 2002 at 11:40:16PM -0500, W. Chris Shank wrote:

I assume LDAP,


Why do you assume that? LDAP can do this, but it can do a lot more
too (more, plasuibly, than you need it to do). And it's either very
expensive or free, but very difficult to configure. (Go 'head. Read
the OpenLDAP docs. Have fun!)


but what about NIS or NIS+? How are these
implimented in Linux.


By starting ypbind. It's almost definitely already installed.

There is no NIS+ server for Linux, and there hasn't been any
indication there ever will be one. But regular old NIS (YP, as it
was originally called) works just fine. You can make Linux be an
NIS+ client without too much trouble with an NIS+ master on Solaris.

Have a look around http://www.linux-nis.org/ for some documentation
and help setting things up.


I'm curious how you are setting up linux networks
(or linux in networks) where you'd want the accounts to  be managed
across several machines. Please share your experiences.


I use (er, *will* use; I've got a server configured without clients
now... turns out that it's not something that directly makes the
company money, so it's not a priority) an NIS+ server on Solaris 9
with Linux and Solaris clients authenticating against it.

Sort of. Because NIS+ will just go and ask Radius for authentication
information. Which is also what the WINS servers will ask for
authentication. And the Cisco boxes. And anything running Mac OS X's
NetInfo client, should we ever have anything that does. Perhaps
you see the point here. :^>

There exists a free Radius implementation (if not several; I'm not
so far as actually setting that up yet, even in isolation), though I
may well end up paying for a commercial one.

In the past, I've also used rsync over ssh (using a null-passphrased
key for root that was only allowed to execute rsync in receive mode)
to distributed the stuff you'd ordinarily keep in NIS or LDAP maps.
I gave a WIP report about that at LISA two years ago in New Orleans,
and there were some negative comments about security (justifiable
paranoia, but I assure I can convince you that it's safe in the
environment I had it set up; it certainly wouldn't be in *every*
environment). I had plans to expand that and make it less of a
kludge, but I haven't come back to it yet because I haven't needed
it. You're welcome to the shell scripts and docs from that first
attempt if you'd like them. I'm certainly not the first to do
something like that, of course.

I did all that under Solaris (E450 as a master, bunch of Ultra
workstations as clients), but it's completely platform independent.
Well, not *completely*, since you have to have passwd, shadow, so
forth files that all the clients grok (note that BSD calls it
"master.passwd" not "shadow"), but it's nothing a few regexps can't
fix.

--
gabriel rosenkoetter
gr@eclipsed.net

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug



--
JP Toto
ViceClown@yahoo.com

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug