[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Intro and question

--On Tuesday, November 11, 2003 8:32 PM -0800 Steve Chan <sychan@lbl.gov> wrote:


	I work on rolling Grid services into production at Berkeley Lab, and
have been using OpenLDAP based tools for a while now (mostly the MDS
service in Globus).
	Recently we've started a project to setup central authentication for
several different computer clusters. The problem I'm looking into is how
to setup the schemas so that "out of the box" PAM LDAP modules can all
go to a central server for authentication information.
	We'd like to have information like usernames, uids, GECOS and password
hashes common across all systems. But home directory, path to shells and
default GID's will be different.

	Looking at the man pages, it seems the only way to make this work would
be to either have each cluster go against their own tree, and then
manually sync up the common information, or else setup a SQL backend
that serves up a view that joins the common information with the cluster
specific information.

Can anyone suggest another, less complex approach to dealing with this?

We use a distributed filesystem (AFS) for all of our users. Therefore, they always have the same home directory no matter what system they are on. We use kerberos for our password infrastructure, so their password verification is completely outside of OpenLDAP. We point our linux, solaris, and mac OS X clusters to our OpenLDAP servers for uid, gecos, uidNumber, gidNumber, etc. It works very well.


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html