Re: switching to LDAP

[nazard@dragoninc.on.ca]

On 14 Apr, Louis-David Mitterrand wrote:
> After studying the OpenLDAP docs for a while and doing some testing, but
> I have a few general questions and am looking for guidance and wisdom.
> 
> Can LDAP completely replace /etc/passwd for all purposes?

Pretty much yes. You need to at least have a valid root account in
/etc/passwd for the boot up process.
 
> Can, for instance, Samba authorize users against an LDAP database?

Yes. I'm using it here.
 
> I have been running, as a test, the "migrate_all_online.sh" tool from
> www.padl.com. It seems to imply that one could rely solely on LDAP as a
> global registry of users, services and protocols instead of flat text
> files in the traditional unix way.
> 
> How far are we in that migration towards LDAP? Is it widely accepted as
> a Good Thing (tm) ?

It's up to each organization. The main advantage as I see it is the
ability to attach additional information to users, groups, etc.
allowing you to keep all sorts of information together.
 
> I am asking these basic questions because we have a growing enterprise
> network, based on several Linux (firewall, Samba, web, mail, etc)
> servers and I would like to use an elegant and modern system of
> replicating user info across these servers. Is LDAP the answer? How
> does it compare to NIS?

I do it here with NSS, PAM, samba & apache and am involved in the
development of the first three.

Usually, you don't replicate the ldap information to each server
(although at least one slave server is useful). The informatino is
queried from a central server.

Like NIS, it's probably also a good idea to run nscd.

-- 
Doug Nazar
Dragon Computer Consultants Inc.
Tel: (416) 708-1578     Fax: (416) 708-8081