| 1 |
On Mon, 2003-11-17 at 16:44, aechols@××××××××××××.edu wrote: |
| 2 |
> It sounds like your setup is (or will be) nearly identical to ours or at least |
| 3 |
> trying to achieve the same thing. |
| 4 |
> |
| 5 |
|
| 6 |
Ah, very good! |
| 7 |
|
| 8 |
> Your structure looks fine in general, but I think nss_ldap wants it a certain |
| 9 |
> way. Our setup looks like this |
| 10 |
> |
| 11 |
> dc=physics,dc=tamu,dc=edu |
| 12 |
> ou=People |
| 13 |
> (Users with uid as the RDN, contain posixAccount, |
| 14 |
> sambaAccount, and shadowAccount) |
| 15 |
> ou=Group |
| 16 |
> (Groups with cn as the RDN, contain posixGroup) |
| 17 |
> ou=Computers |
| 18 |
> (Samba machine trust accounts, uid as the RDN, which is |
| 19 |
> the hostname and a $ at the end, i.e. ATLAS$ for |
| 20 |
> atlas.physics.tamu.edu, contain posixAccount and sambaAccount) |
| 21 |
> ou=Hosts |
| 22 |
> (Not using this one, but it can be used to replace the hosts |
| 23 |
> file, contains ipHost) |
| 24 |
> |
| 25 |
|
| 26 |
Interesting. I shall experiment accordingly in due course. |
| 27 |
|
| 28 |
> > Any insights or additional advice will be gratefully received as I would |
| 29 |
> > like to get this just so before fully populating the directory and |
| 30 |
> > attempting to configure nss_ldap and such :) |
| 31 |
> |
| 32 |
> In my experience, migrating user data was one of the worst parts of the whole |
| 33 |
> thing. The smbldap-migration tools really didn't do the job right, and in the |
| 34 |
|
| 35 |
Yes, the tools were useful in so far as gaining some insights into how |
| 36 |
the data should manifest itself, but I would probably enter most of the |
| 37 |
data from scratch in any case. |
| 38 |
|
| 39 |
> Also, I should probably warn you that we've been having problems with some |
| 40 |
> little bug somewhere that causes nscd to crash on occasion after we got all this |
| 41 |
> set up. I have not been able to track it down because of the lack of debug |
| 42 |
> information in the glibc libraries. Since I installed non-stripped glibc libs, |
| 43 |
> it has stopped crashing, so I'm not sure what exactly was going on. (Yes, I |
| 44 |
> tried rebuilding glibc without the debug first.) |
| 45 |
|
| 46 |
I would never run a stripped glibc in any case - but thanks for the |
| 47 |
heads up. |
| 48 |
|
| 49 |
> |
| 50 |
> Finally, there's the management issue. For a while I was doing it by hand using |
| 51 |
> LDIF files, and then we got LDAP Administrator. It's simplified the process, |
| 52 |
> but on the down side it's a Windows program. Currently we're developing a new |
| 53 |
> website as a front end to the LDAP, with user administration for us, and |
| 54 |
> personal information entry amond other things for the users. |
| 55 |
> |
| 56 |
|
| 57 |
I've been using a combination of phpldapadmin (now in portage) and gq to |
| 58 |
do the trick. I find gq to be very nice as a general LDAP management |
| 59 |
tool, and phpldapadmin is looking quite promising also - might be worth |
| 60 |
investigating the templates that it provides. I believe it is quite |
| 61 |
trivial to adapt them or create new ones. There is also something called |
| 62 |
gosa (haven't tried, but the screenshots look nice). |
| 63 |
|
| 64 |
> As bad as I've made it sound by now, I do think it has been worth the trouble. |
| 65 |
> I still like it better than NIS. If you have any other questions or I left |
| 66 |
> something out, let me know, I'll try to answer. |
| 67 |
|
| 68 |
Much obliged, I will certainly take you up on that offer should I have |
| 69 |
any further queries. To be honest, NIS isn't a huge issue here as the |
| 70 |
clients consist mostely of Windows boxen but that doesn't deter me from |
| 71 |
wanting to master the method :) The most important thing for me |
| 72 |
initially is making it play with qmail (might move to postfix), samba, |
| 73 |
courier-imap and several others. In any case, I shall see how I get on |
| 74 |
over this week. |
| 75 |
|
| 76 |
Regards, |
| 77 |
|
| 78 |
--Kerin Francis Millar (kerframil) |
Archives