From: Jolet, John (John.Jolet@MISYSHEALTHCARE.COM)
Date: Thu Nov 07 2002 - 11:25:11 EST
here's what I do....i've got sun, aix, and linux servers all ultimately
authenticating against an ldap repository. because the sun and aix don't
seem to want to use the posixUser class, i've got my master nis server
acting as a replicate ldap server, then I run a perl script which, once
every 5 minutes, queries the ldap repository, builds the mail alias map,
user, group maps, then does a ypmake, which makes the nis maps and pushes
them to the slave nis servers...works great. I've got a web page (which i'm
about to rewrite) which allows users to change their ldap password...then
after a 5-minute delay, the nis passwords change. This allows me to have
one password for all my secure web resources (via mod_auth_ldap) and my
systems (via ldap for the linux boxes and nis for the rest), plus i've
written a program to add and modify users, which also maintains their email
aliases, samba passwords, etc, etc, etc. One thing you miss with this,
though, is the password re-use history. I'm going to set up a mysql
database on my ldap server to store n copies of each users' old, encrypted
password. password aging i haven't tested yet, and i'm going to write a
program to go out and send emails to everyone who's password will expire
within two weeks (thus the email alias thing)...contact me offline if you
want more details...the ultimate goal is to do all authentication via ldap,
but until I get all that working, this is what i've got.
I saw a reference to adding the aix schema to openldap, once, but can't find
the reference again. This would allow my 4.3.3 boxes to skip nis
altogether. and i know sendmail will do alias resolution against ldap as
well...got that working on a couple of the linux boxes.
-----Original Message-----
From: cbaker@GOODYEAR.COM [mailto:cbaker@GOODYEAR.COM]
Sent: Thursday, November 07, 2002 10:08 AM
To: aix-l@Princeton.EDU
Subject: LDAP - Can it Cut It?
(Ok, I am sure that this question has probably been asked. If so, just
please point me in the right direction.)
We have a large number of RS/6000 that are all tied together in a pretty
good NIS domain.
We are now asked to merge our domain with others... Not a real problem.
Basically, they just want the same login, same password, same data
automounted.... These things are being address.... More politics than
technical.
The real question is LDAP.
I have a number of users defined in my NIS domain that really do not need
full UNIX accounts with access to all my domain has. We just have them
there so they have some way of authorizing them in some intranet web sites.
I have begun setting up an iPlanet LDAP server for these folks. But, I see
the possibilities of this tool for doing much more. Alas, I am but a
novice (so far).
Can I use an LDAP server to perhaps do any of the following? :
- Authenticate ALL my RS/6k users? How? How would that mesh with NIS?
- Could I actually keep NIS password the same, but somehow use LDAP to
update the NIS master's passwords? Why?
So I could synchronize my NIS passwords with the LDAP and in turn some
of these other NIS domains..... Single password!!??
- Can I use LDAP to not only authenticate passwords, but also group users
so they have specific areas, systems, programs they can and cannot enter?
I will stop there. I guess the first things I need are info from someone
who is now using LDAP to authenticate AIX users. And directions to where I
can quickly learn LDAP from the floor up.
Thanks,
Christopher M. Baker
Senior Technical Support Analyst
DSE/TCO
Goodyear Tire and Rubber Company
cbaker@goodyear.com
=================================================
Contains Confidential and/or Proprietary Information.
May not be copied or disseminated without the expressed
written consent of The Goodyear Tire & Rubber Company.
=================================================
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:16:19 EDT