1 |
> I've been attempting to get to grips with LDAP with a view to migrating |
2 |
> away from NIS, and using it to support the various services I run |
3 |
> (notably Samba). |
4 |
|
5 |
It sounds like your setup is (or will be) nearly identical to ours or at least |
6 |
trying to achieve the same thing. |
7 |
|
8 |
> Now my network is not of a particularly large scale, nonetheless I want |
9 |
> to structure the directory according to some notion of order (and in |
10 |
> such a fashion as it would work well for a larger organisation too). |
11 |
|
12 |
Your structure looks fine in general, but I think nss_ldap wants it a certain |
13 |
way. Our setup looks like this |
14 |
|
15 |
dc=physics,dc=tamu,dc=edu |
16 |
ou=People |
17 |
(Users with uid as the RDN, contain posixAccount, |
18 |
sambaAccount, and shadowAccount) |
19 |
ou=Group |
20 |
(Groups with cn as the RDN, contain posixGroup) |
21 |
ou=Computers |
22 |
(Samba machine trust accounts, uid as the RDN, which is |
23 |
the hostname and a $ at the end, i.e. ATLAS$ for |
24 |
atlas.physics.tamu.edu, contain posixAccount and sambaAccount) |
25 |
ou=Hosts |
26 |
(Not using this one, but it can be used to replace the hosts |
27 |
file, contains ipHost) |
28 |
|
29 |
The base DN can be changed, so if you want more structure above that, that'll |
30 |
work too. |
31 |
|
32 |
> Any insights or additional advice will be gratefully received as I would |
33 |
> like to get this just so before fully populating the directory and |
34 |
> attempting to configure nss_ldap and such :) |
35 |
|
36 |
In my experience, migrating user data was one of the worst parts of the whole |
37 |
thing. The smbldap-migration tools really didn't do the job right, and in the |
38 |
end it was accomplished by entering all the NIS data into LDAP, exporting to |
39 |
LDIF, cleaning out LDAP, entering all the Samba data into LDAP, exporting to |
40 |
LDIF, and then writing a script to properly merge the LDIF files and fix the |
41 |
RIDs for each user. So that wasn't much fun. |
42 |
|
43 |
Also, I should probably warn you that we've been having problems with some |
44 |
little bug somewhere that causes nscd to crash on occasion after we got all this |
45 |
set up. I have not been able to track it down because of the lack of debug |
46 |
information in the glibc libraries. Since I installed non-stripped glibc libs, |
47 |
it has stopped crashing, so I'm not sure what exactly was going on. (Yes, I |
48 |
tried rebuilding glibc without the debug first.) |
49 |
|
50 |
Finally, there's the management issue. For a while I was doing it by hand using |
51 |
LDIF files, and then we got LDAP Administrator. It's simplified the process, |
52 |
but on the down side it's a Windows program. Currently we're developing a new |
53 |
website as a front end to the LDAP, with user administration for us, and |
54 |
personal information entry amond other things for the users. |
55 |
|
56 |
As bad as I've made it sound by now, I do think it has been worth the trouble. |
57 |
I still like it better than NIS. If you have any other questions or I left |
58 |
something out, let me know, I'll try to answer. |
59 |
|
60 |
-Andy |
61 |
|
62 |
------------------------------------------------- |
63 |
This mail sent through IMP: http://horde.org/imp/ |