From: Sal Serafino (serafino@cshl.edu)
Date: Thu Jun 12 2003 - 11:27:17 EDT
Hi Gurus-
Many thanks to Pete Bentley, Karl Vogel, Bertand Hutin, and Karen van der Ploeg
for their comments. Karen gets extra credit for guessing the software vendor in
addition to providing a solution.
The general consensus is to dump the ldap password table and parse it into both
/etc/passwd and /etc/shadow on a regular basis. These files could then be
rsync'd to provide synchronization of passwords across all the servers. A PC
tech I know suggested using the /etc/passwd and /etc/shadow files of one
particular server to push the data nightly to the LDAP server and the other
boxes. There's proof that something works "backwards" ;)
Many thanks to all,
-Sal
Original Posting:
---------------------------------------------------------------------------
Date: Wed, 11 Jun 2003 13:30:39 -0400 (EDT)
Hi Gurus-
I'm sorry this is lengthy, but I have to give you details.
The History: We have an intense application with multiple data areas and
environments that has rapidly expanded and now includes three portals and
four servers. Each portal uses the same LDAP service for ACLs via
user/passwd authentication at the web server level, and then connects to any
of the four hosts based on the requested URL. An intermediate connector on
the application servers map the LDAP user to a UNIX user with consistency.
Outside of some UNIX username/uid mismatches from one machine to the other,
it all seems straight forward. We are using NIS+ -- a migration to LDAP is
in the works. The problem is not about setting up or using LDAP and/or NIS+
at the Solaris level.
The Problem: The application handles security using internals that read
/etc/passwd rather than call getpwnam() or equivalent. The software vendor
currently does not support any type of centralized naming service. There
are "rumors" that the next release "may" include such support, but it will
not be available for at least a year or more. If I went NIS+ or LDAP on
these servers to synchronize UNIX accounts, /etc/passwd would not contain
user names, and the application could not do security checks. There is no
method I know of for synchronizing users between these four hosts and the
directory server. This has become a huge monster in only the last month and
a half.
Does anyone have any ideas on how to get /etc/passwd populated and
synchronize /etc/shadow with LDAP? I will do LDAP to NIS+ to YP hacks if
necessary.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:26:34 EDT