[TriLUG] LDAP intro/tutorial?
Brent Verner
brent at rcfile.org
Fri Dec 14 17:18:19 EST 2001
[2001-12-14 16:27] H. Wade Minter said:
| A friend of mine is looking to set up LDAP for system authentication on
| his Red Hat boxes. He's looking to me for guidance. I've done some
| scripting, etc. with LDAP installations that have already been set up, but
| I haven't set up an instance on my own.
|
| If anyone can show me any pointers toward setting up the schemas,
| slapd.conf file, etc., I'd appreciate it.
The best starting points are:
http://www.padl.com/projects.html
http://openldap.org/
IMO, this would make a /great/ meeting topic. The best starting point
is to realize that there are many sides to the "authentication
management" problem:
1) Authenticating a username/pass - [pam-ldap,nss-ldap]
2) User credential (uid, group membership, &c) management
from client boxen - [nss-ldap]
3) Adding users/groups to the directory - [???]
Ideally, you'd want adduser(8) and addgroup(8), and the
associated standard management tools to be directory aware,
but AFAIK, there is no facility for seamless directory
integration. A great project for someone with time would
be to define/implement an API that could be used to make
"local" user management directory aware, and implement
a set of the standard management tools using the API -- if
this already exists, please let me know where I can learn
about it.
FWIW, I'd set up my home network with OpenLDAP auth, but found it to
be more trouble than it was worth.
Without a nscd-like facility (Name Service Caching Daemon) on the
client, using nss-ldap makes using the client system /very/ slow,
since all user credential (getpwent,getgrent) calls must all go
through the ldap server.
Also, the pam-ldap and nss-ldap modules are not highly portable,
so many *nix platforms cannot use directory authentication. This
is the reason I finally gave up -- my *bsd boxen could not play
along on the centralized-auth network...
good luck.
b
--
"Develop your talent, man, and leave the world something. Records are
really gifts from people. To think that an artist would love you enough
to share his music with anyone is a beautiful thing." -- Duane Allman
More information about the TriLUG
mailing list