Re: openLDAP architecture - centralized repository and authentication

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Monday, 19 April 2010 14:10:17 Marot Laurent wrote:
> Hi all,
> 
> I'm far from being openLDAP and more generally Linux advanced user but I'd
>  love to be if I could find some architecture guidance for the following
>  use case. (I've only been playing from time to time with openLDAP on
>  Windows boxes - shame on me :))
> 
> I'm currently using 30 Linux server in my business unit. Almost 10
>  different sysadmin have to administer those servers.  I'd like to have a
>  centralized directory gartering all those 30  x 10 accounts so that I
>  could have one single place du manage my identities. All my servers could
>  then authenticate agains this directory.
> 
> Could openLDAP and some adding tools provide me the right architecture to
>  reach this goal ? Any pointer on this issue will please me ( Google only
>  lead me to basical information about configuring openLDAP on standalone
>  linux boxes)

Yes. Without something like OpenLDAP/nss_ldap/pam_ldap (or pam_krb5), you will 
not be able to implement password policy requirements (or, even ensure that 
old accounts are removed), without significant administrative overhead.

This is a common requirement, solved by many organisations, using (relatively) 
mature tools. You should be able to find sufficient reference material without 
looking too hard.

(Hint: what in any of the information about configuring standalone servers 
relied upon the server and client being on the same host?)

Regards,
Buchan