[Date Prev][Date Next] [Chronological] [Thread] [Top]


Assertion: Openldap is still magic, but now it's black magic.

Any comments?

Red Hat 7.2, much modified, kernel.org 2.4.18 ACPI and iptables.

I'm perfectly happy with 2.1.3 and Berkeley 4.0, openssl 0.9.6b, PADL's
"do-it-yourself" pam-ldap/nss_ldap kit, Exim 4.10 smtp mail server, the
pop3 and IMAP packets that I have (think they're the latest WU versions
without SASL, but I haven't got any further than local SSL/TLS). No

However, having learned to use GQ, slapd debugging at 5 and 256 levels,
ethereal and strace to resolve behavior, day after day, until I've
become blue in the face, I'm perplexed.

Apart from the Berkeley database, and after having worked hours on
/etc/ldap.conf and the /etc/pam.d configs, *nothing* about PAM/NSS that
people here find necessary seems to be necessary for or apply to my
configuration(s). Much that I've read from the Admin guide, golden rules
("*never, never, never*") just isn't true. That's why I'm asking for

Why should I find that things that others seem to accept as gospel,
don't apply to my configurations?

"Never use IP numbers for hostnames, always use FQDNs". Well, for me
TLS/SSL only works with my IP number (, not localhost. or
'uname -n' - the FQDN "billy.demon.nl". "Use pam_ldap for /etc/pam.d
configs, use this, use that", etc. Well, I'm using my old Red Hat
standard configs, and everything works - login, gdm and su. Obviously I
need libnss*. Exclusively for the 'passwd' config do I need pam_ldap. No
trouble in distinguishing between /etc/passwd&shadow and ldap, password
changing with just one "type=billy" password.

This is what I've done to date, since June:

I only have my own test machine. However, if ldap breaks now I'm in deep
trouble :-) I've had a couple of nasty examples that left me gasping.
Like when I'd stopped slapd while Exim was receiving an Internet
mailkick and wanted ldap for all user authentication. Ever seen a mail
server wanting to send 80+ emails back (BSMTP), because it couldn't
verify the recipients? Arrrrgh ...

All local /etc/passd console and ldap logins and transactions under
(encrypted, of course) TLS.

Posix account "Virtual" users, most with mailboxes in other Internet
domains. Almost complete integration with Ximian's Evolution for partial
local user administration and centrally based contact database, with
partial delegated user administration.

Exim 4.10 smtp server admin with ldap-based user accounts an all mail
aliases (/etc/aliases doesn't even exist any more) and virtual
mailboxes. All imap and pop3 under TLS.

Complete "virtual"=ldap user administration with GQ, with a
mind-boggling wealth of info on each user (eat your heart out NIS+).
Admin user/group (partial) administration of users and services.

Automatic BDB 4 transactional log backups (thanks to Peter A. Savitch).

To recap:

I can do *so* much on a standard Linux machine that I'd never dreamed of
being possible in May, that it still seems like magic. Reading, reading,
more reading and practicing is why. But why should so much that others
accept as gospel, be different for me?




Tony Earnshaw

The usefulness of RTFM is vastly overrated.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981

Attachment: signature.asc
Description: Dette er en digitalt signert meldingsdel