[TriLUG] LDAP intro/tutorial?

Brent Verner brent at rcfile.org
Fri Dec 14 17:18:19 EST 2001


[2001-12-14 16:27] H. Wade Minter said:
| A friend of mine is looking to set up LDAP for system authentication on
| his Red Hat boxes.  He's looking to me for guidance.  I've done some
| scripting, etc. with LDAP installations that have already been set up, but
| I haven't set up an instance on my own.
| 
| If anyone can show me any pointers toward setting up the schemas,
| slapd.conf file, etc., I'd appreciate it.

The best starting points are:
  http://www.padl.com/projects.html
  http://openldap.org/

IMO, this would make a /great/ meeting topic.  The best starting point
is to realize that there are many sides to the "authentication 
management" problem:
  1) Authenticating a username/pass - [pam-ldap,nss-ldap]
  2) User credential (uid, group membership, &c) management
     from client boxen - [nss-ldap]
  3) Adding users/groups to the directory - [???]
     Ideally, you'd want adduser(8) and addgroup(8), and the
     associated standard management tools to be directory aware,
     but AFAIK, there is no facility for seamless directory
     integration.  A great project for someone with time would
     be to define/implement an API that could be used to make 
     "local" user management directory aware, and implement
     a set of the standard management tools using the API -- if
     this already exists, please let me know where I can learn
     about it.

FWIW, I'd set up my home network with OpenLDAP auth, but found it to
be more trouble than it was worth.  

Without a nscd-like facility (Name Service Caching Daemon) on the 
client, using nss-ldap makes using the client system /very/ slow, 
since all user credential (getpwent,getgrent) calls must all go 
through the ldap server.

Also, the pam-ldap and nss-ldap modules are not highly portable,
so many *nix platforms cannot use directory authentication.  This
is the reason I finally gave up -- my *bsd boxen could not play 
along on the centralized-auth network...

good luck.
  b
-- 
"Develop your talent, man, and leave the world something. Records are 
really gifts from people. To think that an artist would love you enough
to share his music with anyone is a beautiful thing."  -- Duane Allman



More information about the TriLUG mailing list