managing /etc/passwd and /etc/group with LDAP?

[Lasse Hillerøe Petersen <lassehp@imv.aau.dk>]

I am going to use Netscape Directory server and/or OpenLDAP in the near
future, first and foremost as basis for Netscape Calendar server (ugh), but
I also want a good directory service, which I can set up so management of
information can be delegated to someone else (possibly even to the extent
of allowing the users to change some of their own personal information.)

Now, this morning, an idea came to me:
On IRIX I have /etc/passwd, /etc/group and /etc/shadow.
What I would like to do, is to manage users and groups from WWW through the
use of LDAP (naturally with several types of security); so that when the
directory entry of a user is changed, the /etc/passwd file is updated with
the new information. Likewise for /etc/group. Also, when the user changes
his password for the calendar server, the shadow file should be updated.
(And if possible, vice versa.)

This would require adding unixUID and unixGID attributes to the schema, of
course. I would keep a super.passwd file that would contain sensitive users
such as root, and filter any entries with too low UIDs.

But is this really just a silly idea? My intent is to keep the /etc/passwd
and especially /etc/groups (and /etc/aliases) synchronized with the LDAP
information, and concentrate user management in one place, where it could
ultimately be handed over to a competent secretary, and relieve me of this
burden, so I can focus on more important things.

Is there a better way of achieving something like this? Kerberos perhaps?


-Lasse