On 31 May 1999, Rob Browning wrote: > OK, so it sounds like we just need shadow/passwd/group support, and as > far as I can tell we should be mostly good to go if we > > 1) firewall access to the ldap server from outside our subnet. > 2) import etc/group and passwd via migrate_<foo>.pl > 3) edit our nssswitch.conf as directed in /usr/doc/libnss-ldap/README > 4) cross our fingers.
Well, it seems to work well for me (though so far only on a test machine). > > What I don't really know is how doing this interacts with the normal > mechanisms. I would presume that we can just use LDAP for user > accounts, and leave the system accounts in /etc/passwd, etc. That's a logical thing to do. You might also want to set mail-clients use this ldap for mail address searching. > I'm > guessing from the nsswitch entry it'll just fall back to that if LDAP > fails on a given lookup, but how does LDAP interact with adduser, > userdel, addgroup, /usr/bin/passwd, etc. Does it update the right > things, or do we have to do manual synchs? libpam-ldap will allow password change. The rest have to be done manually (or through some customized software. I am considering Ganymede.) Although there is a nice package pam-mkhomedir that will automatically create homedirs (and copy /etc/skel stuff) if it does not exist. > > If the latter, then it seems like it might be worth us considering not > using LDAP at all, and just whipping up some ssh synch thingy for > these bits... You'll sure have to weight various pro and cons of both approaches. Ldap will just allow more things to use it for. Sergey.