On 11/30/2011 7:23 AM, Juergen.Sprenger@swisscom.com wrote:

Hi Harry,

have done this here with an extended schema for a heterogeneous environment of AIX, HPUX, Solaris and Linux.

Extended posixaccount to x-posixaccount with attributetypes (complete schema on request): 'x-homeDirectory' 'x-SolarishomeDirectory' 'x-AIXhomeDirectory' 'x-LinuxhomeDirectory' 'x-HPUXhomeDirectory'

'x-loginShell' 'x-SolarisloginShell' 'x-AIXloginShell' 'x-LinuxloginShell' 'x-HPUXloginShell'

'x-uidNumber' 'x-SolarisuidNumber' 'x-AIXuidNumber' 'x-LinuxuidNumber' 'x-HPUXuidNumber'

'x-gidNumber' 'x-SolarisgidNumber' 'x-AIXgidNumber' 'x-LinuxgidNumber' 'x-HPUXgidNumber'

'x-AIX5shadowLastChange' 'x-AIX5shadowMin' 'x-AIX5shadowMax' 'x-AIX5shadowWarning' 'x-AIX5shadowInactive' 'x-AIX5shadowExpire' 'x-AIX5shadowFlag'

Objectclasses: 'x-posixAccount' 'x-shadowAccount' 'x-posixGroup'

Then configure ldap clients with proper attribute mapping, example for Solaris: NS_LDAP_ATTRIBUTEMAP= passwd:uidNumber=x-SolarisuidNumber NS_LDAP_ATTRIBUTEMAP= passwd:gidNumber=x-SolarisgidNumber NS_LDAP_ATTRIBUTEMAP= passwd:homeDirectory=x-SolarishomeDirectory NS_LDAP_ATTRIBUTEMAP= passwd:loginSHell=x-SolarisloginShell

Now each operating system can have its own uid/gid combination and shadow attributes for a given username.

Disadvantage is, that You have slightly more complex users and You have to provide consistent settings on all machines of the same operating system.

dn: uid=myname,ou=Person,dc=myEnterprise,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: x-posixAccount objectClass: shadowAccount sn: myname cn: myname uid: myname mail: myname@myEnterpsiem.com uidNumber: 287564 gecos: myname displayName: myname x-LinuxuidNumber: 287564 x-SolarisuidNumber: 287564 x-HPUXuidNumber: 287564 x-AIXuidNumber: 287564 homeDirectory: /home/myname x-AIXhomeDirectory: /home/myname x-HPUXhomeDirectory: /home/myname x-LinuxhomeDirectory: /home/myname x-SolarishomeDirectory: /home/myname loginShell: /usr/bin/bash x-LinuxloginShell: /bin/bash x-HPUXloginShell: /bin/ksh x-SolarisloginShell: /usr/bin/bash x-AIXloginShell:: /bin/sh gidNumber: 50001 x-HPUXgidNumber: 50001 x-SolarisgidNumber: 50001 x-LinuxgidNumber: 50001 x-AIXgidNumber: 50001 . . .

Kind regards

Juergen Sprenger

Juergen, thanks very much for this. I think your approach strikes a balance between storing the same data in more than one place (separate whole ou trees for each os duplicating other information -- at the benefit of no schema changes), returning exactly the one result wanted given a search (a practical necessity as those who aren't given to maintain ldap clients like nslcd/nss_ldap are not able to cause them to iterate through a number of home-directory results with the same name looking for attributes to discern which is intended).

The downside of your approach is as you note no machine specific variants, but those are few enough they can be put in the relevant machine's passwd file and that set to be searched before ldap.