Re: LDAP replacing NIS...?

From: Pavol Kvanka (pali@unitra.sk)
Date: 01/30/03

  • Next message: Matt Harris: "Re: LDAP replacing NIS...?" 
    Date: Thu, 30 Jan 2003 11:40:37 +0100 (CET)
From: Pavol Kvanka <pali@unitra.sk>
To: Gregory Hicks <ghicks@cadence.com>

    > Has anyone tried to use LDAP to replace the NIS passwd (also hosts,
    > group, aliases, et al)? We have converted a system to using LDAP
    > queries to authenticate users working, but once we changed to LDAP,
    > users can no longer login to their CDE desktop.
    >

    I started with OpenLDAP server and everything went okay. Then I tried
    Iplanet Directory Server, all things go fine, I haven't encountered any
    problem. Maybe you should have a look at your Solaris /etc/pam.conf file,
    whether all appropriate items are given their pam_ldap.so.1 authentication
    component. You should consult your nsswitch.conf file, as well. Check your
    manual pages for the ldap_cachemgr and appropriate configuration files in
    /var/ldap directory for exact configuration of search scope, service
    authentication method, etc. Have a look at your directory server's ACLs
    for userPassword, as well. My configuration works in Solaris 8 and 9
    environments, it was tested also on Linux boxes to authenticate users, but
    I guess it needs some more work to be done with configuring nsswitch.conf
    and PAM.

    > Given a mix of SunOS 4.x, Solaris 2.5, 2.5.1, 2.6, 7-9, is there a
    > really good method to make the switch? Or are we, for the near term,
    > going to be maintaining the maps in LDAP and periodically 'pushing' the
    > source maps to the remote NIS masters?
    >

    In my opinion, mixing NIS and LDAP brings more problems than if your nodes
    used just one type of information service. I experienced older Solarises
    had problems when using LDAP authentication, they "liked" only NIS. In
    such a heterogenous environment, I found NIS a reliable service. Our
    systems running a BSD flavored OS don't seem to work well with LDAP,
    especially those without nsswitch.conf. (Note: I'm not so serious when
    writing this, I am strongly influenced with Solaris OE :)

    You wrote about network of Sun boxes. Try docs.sun.com's System
    Administration Guide->Naming and Directory Services... I found almost all
    the information I needed to configure LDAP server/clients here.

    Relevant Pages

    • No more logins after upgrade to deb 5.0
      ... After upgrading from Debian 4.x to 5.x without any further configuration attempts my LDAP Authentication configuration fails. ... If an LDAP Administrator resets that users password and/or as long their ldap password is not expired the user can login anywhere just fine. ...
      (Debian-User)
    • Re: PAM & LDAP - Pointer anyone?
      ... We tried PAM LDAP and ditched it. ... If you are worried about security, I would not recommend running NIS. ... instead by the FreeBSD ypbind and ypldapd. ... can be tightened so as to ensure password authentication only ever happens ...
      (FreeBSD-Security)
    • LDAP authentication failure
      ... I'm trying to migrate my user's authentication from NIS to LDAP. ... On my server, I think I have everything set up okay. ...
      (RedHat)
    • Re: Idiots intro to LDAP - Where?
      ... But, for the life of me, I can't understand LDAP or why it's ... windows and they can be reasonably expected to be built into windows ... use the same authentication mechanisms. ... While you could do that with nis+, nobody really used nis+ as it was a ...
      (comp.os.linux.misc)
    • Re: Idiots intro to LDAP - Where?
      ... But, for the life of me, I can't understand LDAP or why it's ... windows and they can be reasonably expected to be built into windows ... use the same authentication mechanisms. ... While you could do that with nis+, nobody really used nis+ as it was a ...
      (comp.os.linux)