On Mon, May 24, 1999 at 02:19:25PM -0500, Rob Browning wrote: > Sergey V Kovalyov <[EMAIL PROTECTED]> writes: > > > When you install libnss-ldap, there is a short howto in > > /usr/doc/libnss-ldap > > I also suggest downloading conversion tools from www.padl.com, which will > > help populate the LDAP database > > OK. I'm back working on this, and I've gotten openldap > etc. installed, and I've gotten the migration tools, read the HOWTO, > and played with gq to see that I can actually see my database, and I'm > about ready to try and cram my passwd/group stuff in there. However, > from looking at the migration tools, it seems that they can translate > a lot more than just passwd/group stuff like services, protocols, > aliases, fstab, etc. > > So I'm a little curious now. I'd like to get a brief overview of the > overall picture. Are people using ldap much for things like fstab? > If so, how would that actually work, and how would it interact with > other package upgrades? (I can see how accounts work via glibc2 and > libpam-ldap/libnss-ldap.) Also, I'm wondering what, if any, the > security concerns are relating to ldap access to passwd etc. > > Can someone give me a brief overview or point me at an appropriate > doc? I haven't found one yet.
Documentation is a little lacking in this area. The main reason for putting things like fstab, etc, into ldap is for diskless clients and large network configurations (think centralizing). If you don't see an immediate need for it, chances are you wont benefit from it. Currently the most common use of ldap for name services are shadow/passwd/group, mail aliases (exim can compile with ldap support, as well as sendmail), and hosts information. As far as security is concerned, right now OpenLDAP does not support SSL (work is being done on that, so RSN), so your transactions over a network are in the clear. Access by default to password information is limited to the owner of the entry (ie, I can see my encrypted password, but not yours or anyone elses) and the admin (setup on install of openldap). This is better than NIS in that you actually have to authenticate in order to gain access to the data (access is not based on priviledged ports, which is a downfall of NIS). Access to normal account info (name, uid, home directory) is available anonymously by default, but with proper access rules in slapd.conf you can force authentication in order to obtain access (so that I can authenticate and be able to see your info, but outside access wont be able to). Hope this clears some things up.