Re: LDAP replacing NIS...?
From: Pavol Kvanka (firstname.lastname@example.org)
- Previous message: Akop Pogosian: "Re: LDAP replacing NIS...?"
- In reply to: Gregory Hicks: "LDAP replacing NIS...?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Jan 2003 11:40:37 +0100 (CET) From: Pavol Kvanka <email@example.com> To: Gregory Hicks <firstname.lastname@example.org>
> Has anyone tried to use LDAP to replace the NIS passwd (also hosts,
> group, aliases, et al)? We have converted a system to using LDAP
> queries to authenticate users working, but once we changed to LDAP,
> users can no longer login to their CDE desktop.
I started with OpenLDAP server and everything went okay. Then I tried
Iplanet Directory Server, all things go fine, I haven't encountered any
problem. Maybe you should have a look at your Solaris /etc/pam.conf file,
whether all appropriate items are given their pam_ldap.so.1 authentication
component. You should consult your nsswitch.conf file, as well. Check your
manual pages for the ldap_cachemgr and appropriate configuration files in
/var/ldap directory for exact configuration of search scope, service
authentication method, etc. Have a look at your directory server's ACLs
for userPassword, as well. My configuration works in Solaris 8 and 9
environments, it was tested also on Linux boxes to authenticate users, but
I guess it needs some more work to be done with configuring nsswitch.conf
> Given a mix of SunOS 4.x, Solaris 2.5, 2.5.1, 2.6, 7-9, is there a
> really good method to make the switch? Or are we, for the near term,
> going to be maintaining the maps in LDAP and periodically 'pushing' the
> source maps to the remote NIS masters?
In my opinion, mixing NIS and LDAP brings more problems than if your nodes
used just one type of information service. I experienced older Solarises
had problems when using LDAP authentication, they "liked" only NIS. In
such a heterogenous environment, I found NIS a reliable service. Our
systems running a BSD flavored OS don't seem to work well with LDAP,
especially those without nsswitch.conf. (Note: I'm not so serious when
writing this, I am strongly influenced with Solaris OE :)
You wrote about network of Sun boxes. Try docs.sun.com's System
Administration Guide->Naming and Directory Services... I found almost all
the information I needed to configure LDAP server/clients here.