Re: best practice and account management (passwd)

[Chris Jacobs <Chris.Jacobs@apollogrp.edu>]

Please reply-to-all.  :)

And, no, your confusion can never be wrong.  :s

However, I haven't heard or seen anyone trying to store user's files in LDAP.

Even with Windows AD networks, using roaming profiles, the AD stores the user's account and group info, and the user's 'profiles' (ie: homedir) were usually kept on another file server.  That said, even in Windows, I've only ever been in one environment that used roaming profiles and it was painful to login to a new system (takes a while to copy the data!) and it was eventually discontinued.

The typical LDAP (or AD for that matter) is setup, at it's heart, to be a user db - name, email, homedir, group memberships, and other various bits of user /info/.

I do believe it's possible to store files in LDAP, but openldap doesn't provide the tools necessary to handle the retrieval and setup of homedirs, nor the syncing of the homedir back to the LDAP server on logout.  That would be handled by other tools, and then it's best to store the data in a file server location rather than in the LDAP db (it's not intended to store files, per se, I suspect it would awfully slow compared to a file server).

If I were to attempt to setup roaming profiles, I would aim to store the files on a file server.

Recommendation: do one thing at a time.  Research and test roaming profiles, before LDAP. Or vice versa.  You'll find you won't be using LDAP to handle the file storage, but you may end up configuring clients via some of the same files (nsswitch, pam.conf, etc.).

- chris

Chris Jacobs, Systems Administrator
Apollo Group  |  Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email:  chris.jacobs@apollogrp.edu

----- Original Message -----
From: tangonights@yahoo.it <tangonights@yahoo.it>
To: Chris Jacobs
Sent: Thu Oct 07 04:08:20 2010
Subject: Re: best practice and account management (passwd)

thanks for your answer, some comment inline.


On Thursday 7 October 2010 04:01:57 you wrote:
> Stefano,
>
> There are settings that can be set in PAM's ldap.conf (under /etc) to help
> abrogate the timeout difficulties.  Some aren't documented officially, and
> so may disappear without notice - but they do help. Google:
> nss-reconnect_tries.
>
> I wouldn't put root into ldap - if your ldap server is unavailable, logging
> in could be /very/ difficult.  Not to mention if a node connects without
> encryption and the root account is used.  One doesn't have to 'own' a box,
> merely get to the network to listen in on that.
>
> And for Debian based distro's, I think it would be a good idea to have a
> local account you can use to sudo to root.
>
> I would also add local to your pam conf - listed after ldap, of course
> (unless the timeouts are difficult while you're
> troubleshooting/experimenting).
>
> I would recommend groups and users being put into only ldap, and leaving
> necessary local accounts and groups for the box to do it's job (be it
> httpd, mysql, etc, users) left alone.
>
> As for putting home directories into ldap - I don't think that's possible.
> I've never seen that in linux personally, but I suspect that would be
> outside ldap's purview.  However, as the user account would be ldap based,
> it would contain home folder location.

ldap contains just the homedir path I know, but when ldap implemented, is it a
logical consequence to store homedirs on the server? I found a bit complicated
to manage accounts 'a la ldap' and keep all the relevant homedirs on the
remote clients......Am I wrong?
Bye!

>
> This isn't intended as a complete or authoritative reply - just what I've
> gleaned - and I've been wrong before (on this list even).
>
> Good luck!
> - chris
>
> PS: my apologies for top-posting - it's kinda what BBs do.
>
> Chris Jacobs, Systems Administrator
> Apollo Group  |  Apollo Marketing | Aptimus
> 2001 6th Ave Ste 3200 | Seattle, WA 98121
> phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
> email:  chris.jacobs@apollogrp.edu
>
> ----- Original Message -----
> From: openldap-technical-bounces@OpenLDAP.org
> <openldap-technical-bounces@OpenLDAP.org> To:
> openldap-technical@openldap.org <openldap-technical@openldap.org> Sent:
> Wed Oct 06 07:23:11 2010
> Subject: best practice and account management (passwd)
>
> Hi everybody!
>
> I'm a openldab absolute beginner so..
>
> I started my training with user management, and was wondering if it was a
> good practice to move the whole /etc/passwd to ldap and let nsswitch jusst
> to 'ldap' the passwd,group,shadow items
>
> passwd: ldap
> group:  ldap
> shadow: ldap
>
> I tried and I faced some obvious issues like client's boot errors etc. It
> worked but at the cost of a looong timeout..
>
> - Is there any point in moving the whole /etc/passwd and groups, or is
> maybe better to move the root and other 'human' accounts, leaving local
> just the system users and groups?
>
> - was it better to keep the user's home directories (including /root)
> locally on the client, or better to move them on the ldap server, letting
> them be net- mounted on the client fs?
>
> Is it theoretically (and practically :-) ) possible to use ldap and remove
> from clients all the account management related binaries (useradd etc.) and
> /etc/passwd and /etc/groups?
>
> maybe naive questions..sorry :-)
>
> bye,
> Stefano.
>
>
> This message is private and confidential. If you have received it in error,
> please notify the sender and remove it from your system.


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.