[Discuss] Moving servers from NIS to LDAP

[Richard Pieri]

On 7/11/2012 7:31 AM, Jerry Feldman wrote:
> I'm leaning toward using LDAP. LDAP will be at a corporate level (not
> IBM but Algorithmics). But, I don't have that many servers so I can
> replicate my changes to each of the servers . Back on testdrive we used
> PAM and it worked well except for one Debian box.

You don't use LDAP to authenticate because it isn't an authentication 
mechanism.  LDAP is a directory service.  The gist is to attach a token 
to the directory information for an account, then configure the 
authentication system to test for the presence of that token.

The simplest way to manage these tokens for groups of people is with 
groups.  LDAP groups work the same as groups in the /etc/groups file or 
groups in the NIS groups map.  Then have a PAM module test for group 
membership and permit/reject as appropriate.

I use this mechanism along with my Kerberos realm with Scientific Linux 
and Debian nodes.  It works brilliantly.  It's a one time change on each 
node that requires a specific group membership for access so I don't 
have to change all the nodes when I change a user's status.

-- 
Rich P.