On Tuesday 15 February 2005 16:19, James McCarthy wrote:
> i just want to synchronise posix & samba user accounts between 3
> servers. is there a more simple alternative, because this is only a
> small company & we don't need a large scale implementation.
It depends how rapidly the user accounts change and whether
it's always the sysadmin updating details or you need to let other
people have a measure of control over entries. I know somewhere that
operated adequately until usage really ramped up by simply replicating
flat passwd/shadow with cfengine [1] to all relevant servers - major
disadvantages being you have to either remember to push out the file,
or wait out the lag until cfengine next runs to propagate the changes,
and users need to change their passwords on the right server.
> Although I skimmed through an LDAP FAQ and an LDAP tutorial,
> I didn't meet a single concrete example of LDAP in action
Beware that LDAP is for general directory access: there's nothing that
says a directory has to be of user accounts for linux boxes! You'd be
best to check documentation oriented towards using ldap for
user account details on linux, see [2][3][4]
But LDAP ain't really all that intrinsically complicated, it's just
a [protocol for accessing a] hierarchical database - read an LDAP path
the other way to a filesystem path (i.e. the "root" is on the right),
and remember LDAP is not just (or outside the linux world, perhaps not
even primarily) for user account data.
Just as some people can make terrible messes in the unix filesystem
(filesystem == primitive database) hierarchy, so some people can make
horrendously and usually gratituously complicated LDAP setups.
Personally, for me the major annoyance is not quite to do with
ldap itself: none of the major distros ship OpenLDAP 2.2 with syncrepl
yet, apparently because of Stupid Licensing Issues (OpenSSL license
might actually be GPL incompatible - reason OpenLDAP is in Debian is
because someone ported OpenLDAP 2 to GNUTLS instead of OpenSSL), so
setting up replicated OpenLDAP servers is much, much more painful than
it should be - which leads to embarrassing situations like entire linux
clusters stalling due to hardware failures of directory servers (hangs
head in shame).
NIS and Hesiod are options that I recommend you don't
bother with :-)
[1] http://www.cfengine.org/
- the sysadmin's little friend. Marmite-effect (love or hate) warning.
[2] http://www.padl.com/Contents/Documentation.html
- links to other references, the upstream source for the
pam/nss ldap stuff that integrates ldap lookup with linux.
[3] http://en.tldp.org/HOWTO/LDAP-HOWTO/
- basic stuff you need to know
[4] http://www.bayour.com/LDAPv3-HOWTO.html
- little bit heavy going and fragmented, but lots of relevant info
http://www.ofb.net/~jheiss/krbldap/howto.html
- useful even if you've never encounted NIS, describes
integrating LDAP and Kerberos.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
