[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: managing /etc/passwd and /etc/group with LDAP?

Lasse Hillerøe Petersen wrote:

> At 9:31 -0800 10/02/1999, John Kristian wrote:
> >Use the attributes uidNumber and gidNumber.  In general, conform to RFC 2307.
> Thanks. Naturally, I would have checked the existing schema for fitting
> attributes first, and of course these are the correct ones to use.
> But my question was of a more general nature: is it wise to give up
> traditional management of /etc/passwd and /etc/group in favor of the more
> complicated use of LDAP? The way I would use it would naturally construct a
> proper /etc/passwd file (rather than relying on the availability of a
> separate NIS service, for example), so in case something went wrong with
> LDAP, things would still work.

At the recent Usenix/SAGE LISA conference in Boston, I attended a special interest
group on LDAP that was led by two gents from an ISP.  They had moved to using LDAP
for authentication.  The biggest problem that they had found was that the LDAP
servers provide lookup performance that is at least an order of magnitude worse
that that which is provided by flat file databases or NIS.

My plan is to use LDAP as a master database for account information use it to
generate NIS maps.  Unix system authentication (and file system access control,
etc.) will be handled via NIS.  Some other systems (web applications, for example)
will authenticate against the LDAP directory directly.  This approach should get
around the LDAP performance bottleneck (at least for Unix system auth) and also
integrates very easily with most any Unix platform.  (It's hard to hack in direct
system auth via LDAP when you don't have your OS's source).

Password changing will only be allowed via a web interface, which will directly
update the passwords in the directory and in the NIS maps (via yppasswdd).  This
way a changed password will be propagated through all systems very quickly and
will not require a regeneration of the NIS passwd map.

Each geographically separated network will have its own NIS domain(s), with LDAP
directory replication providing overall inter-network synchronization.  Part of a
users' directory entry will include an attribute that lists the NIS domains that
the given user should belong to, which will determine what users are in each
domains maps when they are regenerated (nightly).

Anyone have any reactions to this approach?

I'm still trying to figure out exactly how NT authentication will fit into this.
I have a few possibilities that should work for NT 4, but, of course, once Win2000
arrives we'll have to work on the problem yet again.  _Hopefully_ Microsoft will
make it possible to drive Active Directory from _any_ LDAP directory, but I will
not be surprised if they architect things in a way that this is difficult.  We'll

> A further possibility would be to appoint certain members of some groups as
> "supermembers", and give them rights to add and remove users in the group.
> Also, is anyone aware of some sort of utility to manage groups for LDAP
> servers? I often want to define groups in terms of unions or intersects of
> other groups, or as subgroups to another group, based on matching criteria.
> Is there anything that supports this, or do I have to write my own?

My guess is that you'd have to write your own, but if you find anything make sure
you let us all know here.

> My basic problem is that I don't really have sufficient resources to do the
> management myself (which means that groups and group mail aliases are
> always more or less out of date), and frankly, even if I had, I'd rather
> delegate the work, and concentrate on other things, and just checking that
> things are getting done properly.
> Are there other LDAP mailing lists where such discussion would be more
> appropriate?
> -Lasse

  Charles N. Owens                               Email:  owensc@enc.edu
  Network & Systems Administrator
  Information Technology Services  "Outside of a dog, a book is a man's
  Eastern Nazarene College         best friend.  Inside of a dog it's
                                   too dark to read." - Groucho Marx

org:Eatern Nazarene College;Information Technology Services
adr:;;23 East Elm Avenue;Quincy;MA;02170;USA
title:Network & Systems Coordinator
fn:Charles N. Owens