[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap+Nfsv4+kerberos *nix / *bsd puzzle.

On 11/30/2011 7:23 AM, Juergen.Sprenger@swisscom.com wrote:
Hi Harry,

have done this here with an extended schema for a
heterogeneous environment of AIX, HPUX, Solaris and Linux.

Extended posixaccount to x-posixaccount with attributetypes (complete schema on request):






Then configure ldap clients with proper attribute mapping, example for Solaris:
NS_LDAP_ATTRIBUTEMAP= passwd:uidNumber=x-SolarisuidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gidNumber=x-SolarisgidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:homeDirectory=x-SolarishomeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:loginSHell=x-SolarisloginShell

Now each operating system can have its own uid/gid combination and shadow
attributes for a given username.

Disadvantage is, that You have slightly more complex users and You have to
provide consistent settings on all machines of the same operating system.

dn: uid=myname,ou=Person,dc=myEnterprise,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: x-posixAccount
objectClass: shadowAccount
sn: myname
cn: myname
uid: myname
mail: myname@myEnterpsiem.com
uidNumber: 287564
gecos: myname
displayName: myname
x-LinuxuidNumber: 287564
x-SolarisuidNumber: 287564
x-HPUXuidNumber: 287564
x-AIXuidNumber: 287564
homeDirectory: /home/myname
x-AIXhomeDirectory: /home/myname
x-HPUXhomeDirectory: /home/myname
x-LinuxhomeDirectory: /home/myname
x-SolarishomeDirectory: /home/myname
loginShell: /usr/bin/bash
x-LinuxloginShell: /bin/bash
x-HPUXloginShell: /bin/ksh
x-SolarisloginShell: /usr/bin/bash
x-AIXloginShell:: /bin/sh
gidNumber: 50001
x-HPUXgidNumber: 50001
x-SolarisgidNumber: 50001
x-LinuxgidNumber: 50001
x-AIXgidNumber: 50001

Kind regards

Juergen Sprenger

Juergen, thanks very much for this. I think your approach strikes a balance between storing the same data in more than one place (separate whole ou trees for each os duplicating other information -- at the benefit of no schema changes), returning exactly the one result wanted given a search (a practical necessity as those who aren't given to maintain ldap clients like nslcd/nss_ldap are not able to cause them to iterate through a number of home-directory results with the same name looking for attributes to discern which is intended).

The downside of your approach is as you note no machine specific variants, but those are few enough they can be put in the relevant machine's passwd file and that set to be searched before ldap.