Mailinglist Archive: opensuse (1702 mails)

< Previous Next >
Re: [opensuse] Re: ldap slpd config
  • From: Ralf Haferkamp <rhafer@xxxxxxx>
  • Date: Wed, 16 Sep 2009 10:25:03 +0200
  • Message-id: <200909161025.03690.rhafer@xxxxxxx>
Am Mittwoch 16 September 2009 02:18:52 schrieb Linda Walsh:
[..]
But in regards to this:
no scripts or make files to move my /etc passwd+shad+group into it;

Yeah, we don't have anything for that on the distro, but usually the
available solution require a lot of manual tweaking anyways.

---
That's almost a bug -- since I've seen more than one mention of
scripts that should help moving existing data into a database.
There are the PADL Migration Tools, which is a set of Perl scripts to move
/etc/passwd users to an LDAP database. But as those scripts need to be
adjusted to fit the specific enviroment I see no point in packaging them on
the distro. You can get them at www.padl.com.

I'd really think SuSE 'should' provide something similar,
If you find a good working toolset for that, feel free to add a feature
request to features.opensuse.org, or even better submit packages through the
buildservice.

I'm a very small
site (only a few machines), but I'd like to get all of the standard
/etc/passwd entries and group entries moved into the database.

By far, about 75-85% of my (pw=89 lines, group=106 lines) came
from the standard suse file and added packages (which add many).
Migrating the system user and groups (everything with a uid or gid < 1000)
from /etc/passwd and /etc/group to LDAP is a very bad idea. You will run into
problems as pretty soon. Some of those users and groups are needed during
booting when the network is not yet available, how's the system supposed to
get the information from the LDAP server at that point? Not to mention the
problems that turn up when the LDAP server is not reachable for other reasons.

The problem I keep having is trying to keep my 3-4 machines in
sync. So UID's and GID's are same across multiple machines.
AFAIK the important system users that are created as part of rpms always have
the same uid's and gid's.

[..]
I'm also trying to make sure UID and GID's are equal to
better support the Windows "advanced" (*cough*) concept of having only 1
namespace for UID and GID's (SID's). In a way, it yields the advantage
of allowing any user to be part of a group associated with any
service or daemon or other user for that matter... That and I
just want to make sure that if I decide to map all of my linux
id's into a windows space, nothing will collide... :-)...
Mapping linux uids/gids to Windows SIDs is not easly possible. That's one
reason why Samba exists. It can take care of that. You don't need to have a
unique uid/gid namespace on the Linux side for that, btw.

---
I have very few *real* users, but as I mentioned, I'd like to get
all of the password files and such into ldap.
Which is generally a bad idea in most setups.

Are the command-line
ldap commands compatible with yast2's implementation?
Which ldap commands are you talking about. ldapadd and friends? They are
really lowlevel, taking only LDIF as input. So yes, if you create a compatible
LDIF you can create compatible users with that. Btw, you can try to use
useradd, groupadd and friends for creating ldap users. See the man pages for
details.

[..]
BTW, doesn't slapd do 'something' with slpd? Like announce
itself or something? or announce 'services? or 'well known names'?
slapd can register itself with slpd, yes.

Oh, this is where I got the idea that GSSAPI was deprecated:
/etc/ssh/sshd_config
# Set this to 'yes' to enable support for the deprecated 'gssapi'
authentication # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic'
mechanism is included # in this release. The use of 'gssapi' is deprecated
due to the presence of # potential man-in-the-middle attacks, which
'gssapi-with-mic' is not susceptible to. -------------
I had the impression that the protocol itself was flawed and
deprecated -- does the SuSE LDAP use the newer "with-mic" protocol?
I'd guess that command that comment is only specific to the way sshd used
GSSAPI. What I know for sure is, that GSSAPI is not deprecated. It's very
widely used.

--
Ralf
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >