This has been a great discussion about Unix/AD integration, esp the part where the unix and AD admins need to coordinate well. I've got a related, but different issue.
We have distributed engineering sites, and each site has it's own NIS domain, so that if/when the WAN links go down, they can continue to work. I spent a bunch of time cleaning up the various UIDs, usernames, GIDs, groupnames, etc to bring them more closely in sync. But now I'd like to really bind them all into one LDAP domain, possibly with NIS slaves at each site. We support RHEL3, RHEL4, some RHEL5, Solaris 8, 9 & 10 (very little any more) and some ancient RH7.3 boxes. Most boxes are compute cluster boxes and they only allow login access via LSF (moving to rtda.com's NC) to our users. I'd like to have it so that all usernames/passwords are synced between sites, and that I can create new user accounts from one master and have it goto all the others. Yes, I could do some hackery and copy data from the master NIS domain to the sub-domains, but it just sucks to manage. And when a user changes their password in a remote NIS domain, I then need to push that change back to the master. Blech. So to me, it looks like LDAP, with multiple slaves and possibly even NIS slaves binding to LDAP, is the way to go. Esp if I can be tolerant of WAN failures. I just don't want to have to support LDAP on Solaris 8 if I can avoid it, though I guess it could be ok. Esp if we can easily tweak and restrict access in various ways. Should I look at the Padl.com stuff again? I looked at it a while ago, but they wanted alot of money at the time. Maybe it's changed... goes and looks. Hmm... looks like I can/should use either the nss_ldap, or the pam_ldap modules. Anyone have comments on using these on Solaris 8-10 systems? Any issues? Thanks, John _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
