Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Moving servers from NIS to LDAP



On 7/11/2012 7:31 AM, Jerry Feldman wrote:
> I'm leaning toward using LDAP. LDAP will be at a corporate level (not
> IBM but Algorithmics). But, I don't have that many servers so I can
> replicate my changes to each of the servers . Back on testdrive we used
> PAM and it worked well except for one Debian box.

You don't use LDAP to authenticate because it isn't an authentication 
mechanism.  LDAP is a directory service.  The gist is to attach a token 
to the directory information for an account, then configure the 
authentication system to test for the presence of that token.

The simplest way to manage these tokens for groups of people is with 
groups.  LDAP groups work the same as groups in the /etc/groups file or 
groups in the NIS groups map.  Then have a PAM module test for group 
membership and permit/reject as appropriate.

I use this mechanism along with my Kerberos realm with Scientific Linux 
and Debian nodes.  It works brilliantly.  It's a one time change on each 
node that requires a specific group membership for access so I don't 
have to change all the nodes when I change a user's status.

-- 
Rich P.




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org