Hi everybody!
I'm a openldab absolute beginner so..
I started my training with user management, and was wondering if it was a good practice to move the whole /etc/passwd to ldap and let nsswitch jusst to 'ldap' the passwd,group,shadow items
passwd: ldap group: ldap shadow: ldap
I tried and I faced some obvious issues like client's boot errors etc. It worked but at the cost of a looong timeout..
- Is there any point in moving the whole /etc/passwd and groups, or is maybe better to move the root and other 'human' accounts, leaving local just the system users and groups?
- was it better to keep the user's home directories (including /root) locally on the client, or better to move them on the ldap server, letting them be net- mounted on the client fs?
Is it theoretically (and practically :-) ) possible to use ldap and remove from clients all the account management related binaries (useradd etc.) and /etc/passwd and /etc/groups?
maybe naive questions..sorry :-)
bye, Stefano.
Stefano,
There are settings that can be set in PAM's ldap.conf (under /etc) to help abrogate the timeout difficulties. Some aren't documented officially, and so may disappear without notice - but they do help. Google: nss-reconnect_tries.
I wouldn't put root into ldap - if your ldap server is unavailable, logging in could be /very/ difficult. Not to mention if a node connects without encryption and the root account is used. One doesn't have to 'own' a box, merely get to the network to listen in on that.
And for Debian based distro's, I think it would be a good idea to have a local account you can use to sudo to root.
I would also add local to your pam conf - listed after ldap, of course (unless the timeouts are difficult while you're troubleshooting/experimenting).
I would recommend groups and users being put into only ldap, and leaving necessary local accounts and groups for the box to do it's job (be it httpd, mysql, etc, users) left alone.
As for putting home directories into ldap - I don't think that's possible. I've never seen that in linux personally, but I suspect that would be outside ldap's purview. However, as the user account would be ldap based, it would contain home folder location.
This isn't intended as a complete or authoritative reply - just what I've gleaned - and I've been wrong before (on this list even).
Good luck! - chris
PS: my apologies for top-posting - it's kinda what BBs do.
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Wed Oct 06 07:23:11 2010 Subject: best practice and account management (passwd)
Hi everybody!
I'm a openldab absolute beginner so..
I started my training with user management, and was wondering if it was a good practice to move the whole /etc/passwd to ldap and let nsswitch jusst to 'ldap' the passwd,group,shadow items
passwd: ldap group: ldap shadow: ldap
I tried and I faced some obvious issues like client's boot errors etc. It worked but at the cost of a looong timeout..
- Is there any point in moving the whole /etc/passwd and groups, or is maybe better to move the root and other 'human' accounts, leaving local just the system users and groups?
- was it better to keep the user's home directories (including /root) locally on the client, or better to move them on the ldap server, letting them be net- mounted on the client fs?
Is it theoretically (and practically :-) ) possible to use ldap and remove from clients all the account management related binaries (useradd etc.) and /etc/passwd and /etc/groups?
maybe naive questions..sorry :-)
bye, Stefano.
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
openldap-technical@openldap.org