[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: NIS to LDAP: a better way?

Sure, use back-passwd directly instead of back-ldbm. It will need some patching
to make it conform to RFC2307, but that's pretty trivial. Then
get nis_ldap from www.padl.com to make NIS read directly from LDAP and you'll
have no more synchronization problems whatsoever; you won't even need to run
ypmake any more (or whatever the equivalent command for running the NIS

Note that back-passwd is not a full backend implementation; I don't recall if
it even supports authenticated Binds, which you would need if you want it to
handle LDAP authentication.

I might also point out that Symas' Connexitor product includes a full-featured
UnixAuth module for slapd that securely provides full read-write access to
/etc/passwd, /etc/shadow, whatever. It's not RFC2307 compliant either, but
that's because we also support AIX's security database, and we also can deal
with the SecureWare attributes that HPUX and SCO use. (I think it's a shame
that RFC2307 defined the "posixAccount" objectclass but only implemented Sun's
limited view of such...) (Yes, we support authenticated Binds, but that's not
really what we intended it for. It's meant to be a remote admin tool; it just
so happens that it can serve equally well as an LDAP authentication target and,
with a bit of tweaking, as a nis_ldap provider.)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Norman
> Paterson
> Sent: Wednesday, January 23, 2002 1:20 AM
> To: OpenLDAP-Software@OpenLDAP.org
> Subject: NIS to LDAP: a better way?
> I've set up OpenLdap 2.0.18 to provide an authentication service based on
> LDBM and /etc/passwd.  To keep LDAP and NIS synchronized, I have hacked the
> NIS Makefile so that when it pushes the passwd map, it also uses
> migrate_passwd.pl to produce a passwd.ldif file, and uses that first to add
> entries to LDAP and then to modify entries,
> This is a crappy solution!  Even if there is just one change to
> /etc/passwd, every entry gets added and then modified, because I don't know
> what the change to /etc/passwd might have been.  Also, it is buggy because
> lines deleted from /etc/passwd don't get removed from LDAP.  And it takes
> about 60 seconds to run.
> It sort of works - but is there a better way to keep NIS and LDAP in step?
> --
> Norman Paterson, University of St Andrews
> http://www.dcs.st-and.ac.uk/~norman/