On Wed, Mar 28, 2007 at 05:36:19PM -0700, Adam Megacz wrote: > > Davor Ocelic <[EMAIL PROTECTED]> writes: > > all users and IDs would be synced between ldap/krb/openafs. > > Well, there's no syncing between krb and openafs. Kerberos stores > passwords, openafs stores userid's. No overlap, so things can't get > out of sync.
Sure. I was just emphasising the "whole package". > Storing passwords in LDAP is generally agreed to be not such a great > solution. So the rest of this email is really all about numeric unix > userid's. Yes, we do not store password in ldap. pam_krb5 is used for that and ldap does not talk to kerberos (or vice versa) in any way. > > And since ldap and openafs names are exactly the same (user, > > user.cgi, ..), the output from 'ls' is completely believeable. > > Yes, but the numeric userid for a given username might be different. > This can cause problems, because "chown docelic foo" doesn't end up > doing what you think it does. Well it does, as long as, sas said, the databases are in sync. > Just to reiterate, we're talking about numeric userids here. I'm all > for keeping everything else in LDAP (*), like for example which > machines you're authorized to log in to, etc. How does this work with unix groups? If we need to pull user IDs out of afs, but keep Unix group membership information in ldap anyway, then ... _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
