Re: I am new to OpenLDAP

[Aly Dharshi <aly.dharshi@uleth.ca>]

Hello,

	I hope that you are well ...

On Thu, 2003-05-01 at 09:46, cody wang wrote:
> Hi,
> I am just starting to intergrate OpenLDAP and have limit knowledge about
> OpenLDAP. Our intitution wants to reduce a few login and password to one
> login and password for users by using LDAP technology. I guess that is
> called authentication server. My questions are,
> 

	I hope that you have read the documentation on the OpenLDAP site
completely.

> 1.Does anyone use OpenLdap to authenticate several servers already? How
> does it look like? Do you need any application on each side of server,
> like some web server has iPlanst and Netscape Directory can intergrate
> with LDAP? If I just need to verify login and password through a unix
> box, I don't need any application, right?
> 

	Well we authenticate about 2-3 servers from an OpenLDAP system at
reznet.uleth.ca and about 120+ workstations (in production fall) using
Iplanet Directory Server bundled with Solaris 9 in the cs.uleth.ca
domain.

	When you say application do you mean what client side software would
you need, well if your OS doesn't supply PAM-LDAP modules then you can
get the open source PAM-LDAP modules from padl.com, if your server does
support nsswitch stuff check if it supports LDAP, if not padl.com has a
module for nsswitch. You would have to get these and install these for
authentication to an LDAP server on the client, if you are using Iplanet
DS with Solaris 8/9 there is LDAP support built in - mostly for Iplanet
- and their client software is bad/evolving where as the open source one
is far superior. But you would want to use Iplanet DS if you are running
Iplanet software as they would play nicely together, for schemas and
that sort of good stuff. Iplanet is bulky and memory requirements is
about 1 gig minimum for a decent run. Plus the java tools are really
painful if you have an Ultra 5 with about 128Megs of memory doing
things. 

	We are testing that IPlanet in a test environment with 256Megs of RAM
and its suffering, which the central IT services it one a more resiliant
system I would think, the client on Solaris won't authenticate to
itself, aka if server and client are on same box. OpenLDAP and the open
source pam modules have no such problem from what I understand. I think
with 256-512Mb ram an OpenLDAP server would fly depending on how many
people are using/pounding it.

> 2.I have finished the LDAP installtion by following the documentation.
> However, I think I have to construction our own ldif. I collect a few
> example ldif, but I think the most import that I need to understant it.
> Do you have any easy way to explain ldif instead of the doc on openldap
> web site. 

	The doc really does a good job, but there are some manuals at sun's doc
site doc.sun.com that maybe useful.

> 
> 3.I also read several way to configure authentication servers, such as
> pam, Kerberos, samba etc. What is the most easy and saft way to use?
> 

	First get the LDAP system running and working the way you want, this
will give you a thorough understanding of LDAP, the using Samba and
similar software will be a piece of cake. If you have windows clients
you may want to look into pGINA software, just check google.ca with a
search for this keyword and you should have great integration with LDAP
software with "native" pam-like authentication from Wincrap 2000/XP
boxes.

	HTH and Cheers,

	Aly.

-- 
Aly S.P Dharshi
aly.dharshi@uleth.ca
Student and System Administrator ORS Servers

	"A good speech is like a good dress
	 that's short enough to be interesting
	 and long enough to cover the subject"