| 1 |
> I've been attempting to get to grips with LDAP with a view to migrating |
| 2 |
> away from NIS, and using it to support the various services I run |
| 3 |
> (notably Samba). |
| 4 |
|
| 5 |
It sounds like your setup is (or will be) nearly identical to ours or at least |
| 6 |
trying to achieve the same thing. |
| 7 |
|
| 8 |
> Now my network is not of a particularly large scale, nonetheless I want |
| 9 |
> to structure the directory according to some notion of order (and in |
| 10 |
> such a fashion as it would work well for a larger organisation too). |
| 11 |
|
| 12 |
Your structure looks fine in general, but I think nss_ldap wants it a certain |
| 13 |
way. Our setup looks like this |
| 14 |
|
| 15 |
dc=physics,dc=tamu,dc=edu |
| 16 |
ou=People |
| 17 |
(Users with uid as the RDN, contain posixAccount, |
| 18 |
sambaAccount, and shadowAccount) |
| 19 |
ou=Group |
| 20 |
(Groups with cn as the RDN, contain posixGroup) |
| 21 |
ou=Computers |
| 22 |
(Samba machine trust accounts, uid as the RDN, which is |
| 23 |
the hostname and a $ at the end, i.e. ATLAS$ for |
| 24 |
atlas.physics.tamu.edu, contain posixAccount and sambaAccount) |
| 25 |
ou=Hosts |
| 26 |
(Not using this one, but it can be used to replace the hosts |
| 27 |
file, contains ipHost) |
| 28 |
|
| 29 |
The base DN can be changed, so if you want more structure above that, that'll |
| 30 |
work too. |
| 31 |
|
| 32 |
> Any insights or additional advice will be gratefully received as I would |
| 33 |
> like to get this just so before fully populating the directory and |
| 34 |
> attempting to configure nss_ldap and such :) |
| 35 |
|
| 36 |
In my experience, migrating user data was one of the worst parts of the whole |
| 37 |
thing. The smbldap-migration tools really didn't do the job right, and in the |
| 38 |
end it was accomplished by entering all the NIS data into LDAP, exporting to |
| 39 |
LDIF, cleaning out LDAP, entering all the Samba data into LDAP, exporting to |
| 40 |
LDIF, and then writing a script to properly merge the LDIF files and fix the |
| 41 |
RIDs for each user. So that wasn't much fun. |
| 42 |
|
| 43 |
Also, I should probably warn you that we've been having problems with some |
| 44 |
little bug somewhere that causes nscd to crash on occasion after we got all this |
| 45 |
set up. I have not been able to track it down because of the lack of debug |
| 46 |
information in the glibc libraries. Since I installed non-stripped glibc libs, |
| 47 |
it has stopped crashing, so I'm not sure what exactly was going on. (Yes, I |
| 48 |
tried rebuilding glibc without the debug first.) |
| 49 |
|
| 50 |
Finally, there's the management issue. For a while I was doing it by hand using |
| 51 |
LDIF files, and then we got LDAP Administrator. It's simplified the process, |
| 52 |
but on the down side it's a Windows program. Currently we're developing a new |
| 53 |
website as a front end to the LDAP, with user administration for us, and |
| 54 |
personal information entry amond other things for the users. |
| 55 |
|
| 56 |
As bad as I've made it sound by now, I do think it has been worth the trouble. |
| 57 |
I still like it better than NIS. If you have any other questions or I left |
| 58 |
something out, let me know, I'll try to answer. |
| 59 |
|
| 60 |
-Andy |
| 61 |
|
| 62 |
------------------------------------------------- |
| 63 |
This mail sent through IMP: http://horde.org/imp/ |
Archives