[Discuss] Moving servers from NIS to LDAP

[gaf at blu.org (Jerry Feldman)]

On 07/11/2012 11:39 AM, Richard Pieri wrote:
> On 7/11/2012 7:31 AM, Jerry Feldman wrote:
>> I'm leaning toward using LDAP. LDAP will be at a corporate level (not
>> IBM but Algorithmics). But, I don't have that many servers so I can
>> replicate my changes to each of the servers . Back on testdrive we used
>> PAM and it worked well except for one Debian box.
>
> You don't use LDAP to authenticate because it isn't an authentication
> mechanism.  LDAP is a directory service.  The gist is to attach a
> token to the directory information for an account, then configure the
> authentication system to test for the presence of that token.
>
> The simplest way to manage these tokens for groups of people is with
> groups.  LDAP groups work the same as groups in the /etc/groups file
> or groups in the NIS groups map.  Then have a PAM module test for
> group membership and permit/reject as appropriate.
>
> I use this mechanism along with my Kerberos realm with Scientific
> Linux and Debian nodes.  It works brilliantly.  It's a one time change
> on each node that requires a specific group membership for access so I
> don't have to change all the nodes when I change a user's status.
>
The issue is we must convert from NIS, and LDAP is the only solution and
it is imposed on me. Eventually we will move to a different
authentication as we get more integrated.
Currently the plan is just to use our current Toronto logins (with
different UIDs and groups than we have in Boston). But, if they will
agree to replicate our NIS, that solves a few problems.

-- 
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix
PGP key id:3BC1EB90 
PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66  C0AF 7CEA 30FC 3BC1 EB90