[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password control with YP(NIS)

Earlier today, Prasad HS wrote:

> > Our project is merging our NDS (Novell) accounts/passwords with our Unix
> > (Solaris) accounts/passwords using LDAP.  The proof-of-concept was built
> > using OpenLDAP (for the Solaris box using remote authentication/lookups)
> > but the system will go live using Novell's NLDAP.NLM (NDSv8) on NetWare
> > 5.
> Could you explain how you did it, what supporting softwares needs to be
> installed , what configuration changes need to be changed etc to us ? I
> appreciate if you could share your knowledge

I don't want to take up too much bandwidth on this list discussing something
that isn't strictly OpenLDAP-specific;  I'm writing a technical report/paper
about our project for a conference later this year so when I've completed it I
might make it available on the Web.

In short, it works like this:

- aim = share accounts/passwords between a Solaris machine and an NDS tree
  so that students can login using the same ID/password to both the email
  server (Solaris 2.6) and in all the labs (NT 4.0 Workstation authenticating
  to NetWare 5)

- "authentication server" (directory)
  - OpenLDAP 1.2.1 (testing) on Solaris 7
  - Novell NetWare 5 + NDSv8 with NLDAP.NLM (testing/production)

- "authentication client" (email server)
  - Solaris 2.6
  - Luke Howard's PAM LDAP module (http://www.padl.com/)
  - Luke Howard's NSS LDAP module (http://www.padl.com/)
  - Netscape's Directory SDK for C 3.0 (with export-grade SSLv3)

- configure PAM on Solaris to use LDAP when appropriate

- configure NSS on Solaris to use LDAP when appropriate

- populate LDAP directory with objects for authentication (LH's modules
  use the RFC 2307 schema - ergo my original query)

That's it (at a basic level, anyway).  It was easy to get the OpenLDAP
directory up and running with 20,000+ users in a single subtree ("container"
or "context" in the NDS/Novell parlance) to act as a proof-of-concept - all
those users could then login (send/receive email, run commands, own files,
&c.) all as if they were regular Unix users - 'cept they didn't exist at all
in /etc/passwd or /etc/shadow.

Getting the Novell end working was a little tougher, but we've worked our way
through most of the problems so far (moving from NDSv7 to NDSv8 was a big help
- performance of LDAP on NDSv7 was essentially woeful).

> For PC clients, how do you indicate that it should look into ldap
> databases ?

For authentication (as far as this project is concerned), we let the labs
(Windows NT 4.0 Workstation) authenticate the same way they are now - NDS.
The introduction of LDAP is mainly to provide remote authentication for the
Solaris machine in such a way that eventually, we won't be tied specifically
to NDS as the LDAP server (proven by the fact that it was brought up on
OpenLDAP first).  As it stands, users will have the one login ID and a single
password (with no need for "special" synchronisation between Unix and NetWare

When LDUP (LDAP replication) is finalised we should be able to partition our
directory tree and split areas up across different platforms/vendors.  (Well I
can dream, can't I?!?!)