But in regards to this:
no scripts or make files to move my /etc passwd+shad+group into it;
Yeah, we don't have anything for that on the distro, but usually the available solution require a lot of manual tweaking anyways.
--- That's almost a bug -- since I've seen more than one mention of scripts that should help moving existing data into a database. There are the PADL Migration Tools, which is a set of Perl scripts to move /etc/passwd users to an LDAP database. But as those scripts need to be adjusted to fit the specific enviroment I see no point in packaging them on
Am Mittwoch 16 September 2009 02:18:52 schrieb Linda Walsh: [..] the distro. You can get them at www.padl.com.
I'd really think SuSE 'should' provide something similar, If you find a good working toolset for that, feel free to add a feature request to features.opensuse.org, or even better submit packages through the buildservice.
I'm a very small site (only a few machines), but I'd like to get all of the standard /etc/passwd entries and group entries moved into the database.
By far, about 75-85% of my (pw=89 lines, group=106 lines) came from the standard suse file and added packages (which add many). Migrating the system user and groups (everything with a uid or gid < 1000) from /etc/passwd and /etc/group to LDAP is a very bad idea. You will run into problems as pretty soon. Some of those users and groups are needed during booting when the network is not yet available, how's the system supposed to get the information from the LDAP server at that point? Not to mention the problems that turn up when the LDAP server is not reachable for other reasons.
The problem I keep having is trying to keep my 3-4 machines in sync. So UID's and GID's are same across multiple machines. AFAIK the important system users that are created as part of rpms always have the same uid's and gid's.
[..]
I'm also trying to make sure UID and GID's are equal to better support the Windows "advanced" (*cough*) concept of having only 1 namespace for UID and GID's (SID's). In a way, it yields the advantage of allowing any user to be part of a group associated with any service or daemon or other user for that matter... That and I just want to make sure that if I decide to map all of my linux id's into a windows space, nothing will collide... :-)... Mapping linux uids/gids to Windows SIDs is not easly possible. That's one reason why Samba exists. It can take care of that. You don't need to have a unique uid/gid namespace on the Linux side for that, btw.
--- I have very few *real* users, but as I mentioned, I'd like to get all of the password files and such into ldap. Which is generally a bad idea in most setups.
Are the command-line ldap commands compatible with yast2's implementation? Which ldap commands are you talking about. ldapadd and friends? They are really lowlevel, taking only LDIF as input. So yes, if you create a compatible LDIF you can create compatible users with that. Btw, you can try to use useradd, groupadd and friends for creating ldap users. See the man pages for details.
[..]
BTW, doesn't slapd do 'something' with slpd? Like announce itself or something? or announce 'services? or 'well known names'? slapd can register itself with slpd, yes.
Oh, this is where I got the idea that GSSAPI was deprecated: /etc/ssh/sshd_config # Set this to 'yes' to enable support for the deprecated 'gssapi' authentication # mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included # in this release. The use of 'gssapi' is deprecated due to the presence of # potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to. ------------- I had the impression that the protocol itself was flawed and deprecated -- does the SuSE LDAP use the newer "with-mic" protocol? I'd guess that command that comment is only specific to the way sshd used GSSAPI. What I know for sure is, that GSSAPI is not deprecated. It's very widely used.
-- Ralf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org