[sllug-members]: LDAP? NIS? Weird shell scripts?
Corey Edwards
tensai at zmonkey.org
Tue Jan 23 12:33:43 MST 2007
On Tue, 2007-01-23 at 10:50 -0700, Matthew Hatch wrote:
> In the past, this system has employed NIS and to share passwords and
> home directories with a second server we have, and it has worked well
> for its purposes. This system also uses httpd, samba, and exim, all
> using their own password methods. Whenever a user changes a password,
> it needs to be changed about five times to make it valid across the system.
>
> I'd like to employ a different method of authentication, where all
> services can access a single database to authenticate from. From what I
> understand, LDAP is the best choice for this, though not the easiest to
> set up. NIS isn't capable of sharing passwords with samba and the like.
> I guess i could set up a shell script that would synchronize the
> passwords, but it wouldn't be instant whenever one is changed.
>
> My question to you is: Which methods do you employ, what are your
> favorites, and why? I'd love to delve into LDAP, but it does seem
> rather complicated (I'm reading up on it -- O'Reilly books are neat).
I love LDAP. I've built so many LDAP replicas over the last couple of
years. It's really getting a little ridiculous, but hey my data is
backed up like you wouldn't believe.
I have used LDAP for PAM, Apache and Exim all with great success. I have
not tied it into Samba although I hear it's possible. We (unfortunately)
have a 2k PDC so there's no need. We are toying with the thought of
linking Active Directory and OpenLDAP together somehow, but honestly
we've not put that much effort into it.
LDAP can be a bear to comprehend but once you do, it pretty much takes
care of itself. We use phpLdapAdmin (from the great Dave Smith) and I
strongly recommend it. I love the fact that with a simple config change,
a slave server can be upgraded to a master. I think the hardest part
about LDAP for me was divorcing myself from relational logic.
Hierarchical databases are a totally different ball of wax.
Check out both OpenLDAP and Redhat Directory (nee iPlanet). We use the
former but the latter has some cool stuff and is certainly a worthwhile
choice.
Corey
More information about the sllug-members
mailing list