[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap+Nfsv4+kerberos nix / bsd puzzle.

To: Juergen.Sprenger@swisscom.com
Subject: Re: Ldap+Nfsv4+kerberos *nix / *bsd puzzle.
From: Harry Coin <hcoin@quietfountain.com>
Date: Wed, 30 Nov 2011 14:08:11 -0600
Cc: openldap-technical@openldap.org
In-reply-to: <C17898762A892F4E929B70666A1EADA81AC47D9D@sg000713.corproot.net>
References: <C17898762A892F4E929B70666A1EADA81AC47D9D@sg000713.corproot.net>
User-agent: Mozilla/5.0 (Windows NT 6.0; rv:8.0) Gecko/20111105 Thunderbird/8.0

On 11/30/2011 7:23 AM, Juergen.Sprenger@swisscom.com wrote:

Hi Harry,

have done this here with an extended schema for a
heterogeneous environment of AIX, HPUX, Solaris and Linux.

Extended posixaccount to x-posixaccount with attributetypes (complete schema on request):
'x-homeDirectory'
'x-SolarishomeDirectory'
'x-AIXhomeDirectory'
'x-LinuxhomeDirectory'
'x-HPUXhomeDirectory'

'x-loginShell'
'x-SolarisloginShell'
'x-AIXloginShell'
'x-LinuxloginShell'
'x-HPUXloginShell'

'x-uidNumber'
'x-SolarisuidNumber'
'x-AIXuidNumber'
'x-LinuxuidNumber'
'x-HPUXuidNumber'

'x-gidNumber'
'x-SolarisgidNumber'
'x-AIXgidNumber'
'x-LinuxgidNumber'
'x-HPUXgidNumber'

'x-AIX5shadowLastChange'
'x-AIX5shadowMin'
'x-AIX5shadowMax'
'x-AIX5shadowWarning'
'x-AIX5shadowInactive'
'x-AIX5shadowExpire'
'x-AIX5shadowFlag'

Objectclasses:
'x-posixAccount'
'x-shadowAccount'
'x-posixGroup'

Then configure ldap clients with proper attribute mapping, example for Solaris:
NS_LDAP_ATTRIBUTEMAP= passwd:uidNumber=x-SolarisuidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gidNumber=x-SolarisgidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:homeDirectory=x-SolarishomeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:loginSHell=x-SolarisloginShell

Now each operating system can have its own uid/gid combination and shadow
attributes for a given username.

Disadvantage is, that You have slightly more complex users and You have to
provide consistent settings on all machines of the same operating system.

dn: uid=myname,ou=Person,dc=myEnterprise,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: x-posixAccount
objectClass: shadowAccount
sn: myname
cn: myname
uid: myname
mail: myname@myEnterpsiem.com
uidNumber: 287564
gecos: myname
displayName: myname
x-LinuxuidNumber: 287564
x-SolarisuidNumber: 287564
x-HPUXuidNumber: 287564
x-AIXuidNumber: 287564
homeDirectory: /home/myname
x-AIXhomeDirectory: /home/myname
x-HPUXhomeDirectory: /home/myname
x-LinuxhomeDirectory: /home/myname
x-SolarishomeDirectory: /home/myname
loginShell: /usr/bin/bash
x-LinuxloginShell: /bin/bash
x-HPUXloginShell: /bin/ksh
x-SolarisloginShell: /usr/bin/bash
x-AIXloginShell:: /bin/sh
gidNumber: 50001
x-HPUXgidNumber: 50001
x-SolarisgidNumber: 50001
x-LinuxgidNumber: 50001
x-AIXgidNumber: 50001
.
.
.


Kind regards

Juergen Sprenger

Juergen, thanks very much for this. I think your approach strikes abalance between storing the same data in more than one place (separatewhole ou trees for each os duplicating other information -- at thebenefit of no schema changes), returning exactly the one result wantedgiven a search (a practical necessity as those who aren't given tomaintain ldap clients like nslcd/nss_ldap are not able to cause them toiterate through a number of home-directory results with the same namelooking for attributes to discern which is intended).

The downside of your approach is as you note no machine specificvariants, but those are few enough they can be put in the relevantmachine's passwd file and that set to be searched before ldap.

Prev by Date: Re: unclean shutdown detected; attempting recovery - question
Next by Date: Re: memberof overlay deployment
Index(es):
- Chronological
- Thread

Re: Ldap+Nfsv4+kerberos *nix / *bsd puzzle.

Re: Ldap+Nfsv4+kerberos nix / bsd puzzle.