[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: best practice and account management (passwd)

To: "'tangonights@yahoo.it'" <tangonights@yahoo.it>, "'openldap-technical@openldap.org'" <openldap-technical@openldap.org>
Subject: Re: best practice and account management (passwd)
From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Date: Wed, 6 Oct 2010 19:01:57 -0700
Accept-language: en-US
Acceptlanguage: en-US
Content-language: en-US
In-reply-to: <201010061623.12172.tangonights@yahoo.it>
Thread-index: ActlvoaBql+8pF48RQ+O3bDWFJcpmgABRhj0
Thread-topic: best practice and account management (passwd)

Stefano,

There are settings that can be set in PAM's ldap.conf (under /etc) to help abrogate the timeout difficulties.  Some aren't documented officially, and so may disappear without notice - but they do help.
Google: nss-reconnect_tries.

I wouldn't put root into ldap - if your ldap server is unavailable, logging in could be /very/ difficult.  Not to mention if a node connects without encryption and the root account is used.  One doesn't have to 'own' a box, merely get to the network to listen in on that.

And for Debian based distro's, I think it would be a good idea to have a local account you can use to sudo to root.

I would also add local to your pam conf - listed after ldap, of course (unless the timeouts are difficult while you're troubleshooting/experimenting).

I would recommend groups and users being put into only ldap, and leaving necessary local accounts and groups for the box to do it's job (be it httpd, mysql, etc, users) left alone.

As for putting home directories into ldap - I don't think that's possible.  I've never seen that in linux personally, but I suspect that would be outside ldap's purview.  However, as the user account would be ldap based, it would contain home folder location.

This isn't intended as a complete or authoritative reply - just what I've gleaned - and I've been wrong before (on this list even).

Good luck!
- chris

PS: my apologies for top-posting - it's kinda what BBs do.

Chris Jacobs, Systems Administrator
Apollo Group  |  Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email:  chris.jacobs@apollogrp.edu

----- Original Message -----
From: openldap-technical-bounces@OpenLDAP.org <openldap-technical-bounces@OpenLDAP.org>
To: openldap-technical@openldap.org <openldap-technical@openldap.org>
Sent: Wed Oct 06 07:23:11 2010
Subject: best practice and account management (passwd)

Hi everybody!

I'm a openldab absolute beginner so..

I started my training with user management, and was wondering if it was a good
practice to move the whole /etc/passwd to ldap and let nsswitch jusst to
'ldap' the passwd,group,shadow items

passwd: ldap
group:  ldap
shadow: ldap

I tried and I faced some obvious issues like client's boot errors etc. It
worked but at the cost of a looong timeout..

- Is there any point in moving the whole /etc/passwd and groups, or is maybe
better to move the root and other 'human' accounts, leaving local just the
system users and groups?

- was it better to keep the user's home directories (including /root) locally
on the client, or better to move them on the ldap server, letting them be net-
mounted on the client fs?

Is it theoretically (and practically :-) ) possible to use ldap and remove
from clients all the account management related binaries (useradd etc.) and
/etc/passwd and /etc/groups?

maybe naive questions..sorry :-)

bye,
Stefano.


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.

References:
- best practice and account management (passwd)
  - From: tangonights@yahoo.it

Prev by Date: How can I make the unique overlay play nicely with my ACL?
Next by Date: Re: OpenLDAP session authentication
Index(es):
- Chronological
- Thread