Re: LDAP replacing NIS...?

From: Pavol Kvanka (pali@unitra.sk)
Date: 01/30/03

  • Next message: Matt Harris: "Re: LDAP replacing NIS...?"
    Date: Thu, 30 Jan 2003 11:40:37 +0100 (CET)
    From: Pavol Kvanka <pali@unitra.sk>
    To: Gregory Hicks <ghicks@cadence.com>
    
    

    > Has anyone tried to use LDAP to replace the NIS passwd (also hosts,
    > group, aliases, et al)? We have converted a system to using LDAP
    > queries to authenticate users working, but once we changed to LDAP,
    > users can no longer login to their CDE desktop.
    >

    I started with OpenLDAP server and everything went okay. Then I tried
    Iplanet Directory Server, all things go fine, I haven't encountered any
    problem. Maybe you should have a look at your Solaris /etc/pam.conf file,
    whether all appropriate items are given their pam_ldap.so.1 authentication
    component. You should consult your nsswitch.conf file, as well. Check your
    manual pages for the ldap_cachemgr and appropriate configuration files in
    /var/ldap directory for exact configuration of search scope, service
    authentication method, etc. Have a look at your directory server's ACLs
    for userPassword, as well. My configuration works in Solaris 8 and 9
    environments, it was tested also on Linux boxes to authenticate users, but
    I guess it needs some more work to be done with configuring nsswitch.conf
    and PAM.

    > Given a mix of SunOS 4.x, Solaris 2.5, 2.5.1, 2.6, 7-9, is there a
    > really good method to make the switch? Or are we, for the near term,
    > going to be maintaining the maps in LDAP and periodically 'pushing' the
    > source maps to the remote NIS masters?
    >

    In my opinion, mixing NIS and LDAP brings more problems than if your nodes
    used just one type of information service. I experienced older Solarises
    had problems when using LDAP authentication, they "liked" only NIS. In
    such a heterogenous environment, I found NIS a reliable service. Our
    systems running a BSD flavored OS don't seem to work well with LDAP,
    especially those without nsswitch.conf. (Note: I'm not so serious when
    writing this, I am strongly influenced with Solaris OE :)

    You wrote about network of Sun boxes. Try docs.sun.com's System
    Administration Guide->Naming and Directory Services... I found almost all
    the information I needed to configure LDAP server/clients here.