1 |
On Mon, 2003-11-17 at 16:44, aechols@××××××××××××.edu wrote: |
2 |
> It sounds like your setup is (or will be) nearly identical to ours or at least |
3 |
> trying to achieve the same thing. |
4 |
> |
5 |
|
6 |
Ah, very good! |
7 |
|
8 |
> Your structure looks fine in general, but I think nss_ldap wants it a certain |
9 |
> way. Our setup looks like this |
10 |
> |
11 |
> dc=physics,dc=tamu,dc=edu |
12 |
> ou=People |
13 |
> (Users with uid as the RDN, contain posixAccount, |
14 |
> sambaAccount, and shadowAccount) |
15 |
> ou=Group |
16 |
> (Groups with cn as the RDN, contain posixGroup) |
17 |
> ou=Computers |
18 |
> (Samba machine trust accounts, uid as the RDN, which is |
19 |
> the hostname and a $ at the end, i.e. ATLAS$ for |
20 |
> atlas.physics.tamu.edu, contain posixAccount and sambaAccount) |
21 |
> ou=Hosts |
22 |
> (Not using this one, but it can be used to replace the hosts |
23 |
> file, contains ipHost) |
24 |
> |
25 |
|
26 |
Interesting. I shall experiment accordingly in due course. |
27 |
|
28 |
> > Any insights or additional advice will be gratefully received as I would |
29 |
> > like to get this just so before fully populating the directory and |
30 |
> > attempting to configure nss_ldap and such :) |
31 |
> |
32 |
> In my experience, migrating user data was one of the worst parts of the whole |
33 |
> thing. The smbldap-migration tools really didn't do the job right, and in the |
34 |
|
35 |
Yes, the tools were useful in so far as gaining some insights into how |
36 |
the data should manifest itself, but I would probably enter most of the |
37 |
data from scratch in any case. |
38 |
|
39 |
> Also, I should probably warn you that we've been having problems with some |
40 |
> little bug somewhere that causes nscd to crash on occasion after we got all this |
41 |
> set up. I have not been able to track it down because of the lack of debug |
42 |
> information in the glibc libraries. Since I installed non-stripped glibc libs, |
43 |
> it has stopped crashing, so I'm not sure what exactly was going on. (Yes, I |
44 |
> tried rebuilding glibc without the debug first.) |
45 |
|
46 |
I would never run a stripped glibc in any case - but thanks for the |
47 |
heads up. |
48 |
|
49 |
> |
50 |
> Finally, there's the management issue. For a while I was doing it by hand using |
51 |
> LDIF files, and then we got LDAP Administrator. It's simplified the process, |
52 |
> but on the down side it's a Windows program. Currently we're developing a new |
53 |
> website as a front end to the LDAP, with user administration for us, and |
54 |
> personal information entry amond other things for the users. |
55 |
> |
56 |
|
57 |
I've been using a combination of phpldapadmin (now in portage) and gq to |
58 |
do the trick. I find gq to be very nice as a general LDAP management |
59 |
tool, and phpldapadmin is looking quite promising also - might be worth |
60 |
investigating the templates that it provides. I believe it is quite |
61 |
trivial to adapt them or create new ones. There is also something called |
62 |
gosa (haven't tried, but the screenshots look nice). |
63 |
|
64 |
> As bad as I've made it sound by now, I do think it has been worth the trouble. |
65 |
> I still like it better than NIS. If you have any other questions or I left |
66 |
> something out, let me know, I'll try to answer. |
67 |
|
68 |
Much obliged, I will certainly take you up on that offer should I have |
69 |
any further queries. To be honest, NIS isn't a huge issue here as the |
70 |
clients consist mostely of Windows boxen but that doesn't deter me from |
71 |
wanting to master the method :) The most important thing for me |
72 |
initially is making it play with qmail (might move to postfix), samba, |
73 |
courier-imap and several others. In any case, I shall see how I get on |
74 |
over this week. |
75 |
|
76 |
Regards, |
77 |
|
78 |
--Kerin Francis Millar (kerframil) |