LDAP, ActiveDirectory and the death of Linux at corporate

Brian Fahrlander brian at fahrlander.net
Wed Aug 15 20:25:02 UTC 2007

Smoot Carl-Mitchell wrote:
> On Wed, 2007-08-15 at 13:59 -0500, Brian Fahrlander wrote:
>>      It's fabulous; I'm happy for your help. It'll only take a handful 
>> of us, in total, to get the ball rolling!
> I have set up OpenLDAP using the NIS schema from PADL and the various
> auxiliary bits and pieces (nss_ldap, pam_ldap) for a complete
> authentication system with replicated slave servers. Authentication was
> at the granularity of an individual host or group of hosts.
> I also integrated sudo into this environment, so I could manage sudo
> access via the directory.  This all worked in a production environment
> for over two years with the only restarts needed to update the SSL
> certificates each year. It was extremely stable and saved me an enormous
> amount of time doing account management.
> I also wrote a front-end Web based interface (Unix/Linux centric) for
> administration.  I can share slides I put together on this system, if
> any of you are interested. The admin code is Open Sourced under the
> GPL2, so anyone you wants to use it is free to download the code.

     If you can explain the internal differences of PosixAccount versus 
InetOrgAccount, you're the guy I was just talking about!  :)

     The core of the problem is _making_decisions_. It's not technical, 
but it's rooted (pardon the pun) in the schemas.  What I'd like to do 
is, with someone looking over my shoulder, edit the current Howtos to 
show how _anyone_ can set up an LDAP, guiding the user by making some of 
these esoteric decisions for them. Once they have something that _works_ 
they can learn from it, and modify it. (Like I did, but easier.)

     Case in point: "ou=namepart, o=othernamepart" or 
"dn=domainpart,dn=othernamepart".  The industry seems to have settled on 
the second choice, so that's the way I expect I'll proceed. But I only 
have my own viewpoint to make such a decision...and that's as a sysadmin 
that loves LDAP, and see how vital it is to retaining customers.

     I'm thrilled to hear about your host-level access; that something 
that Redhat seems to get right, but on our side we're stuck guessing at 
questions instead of making it work.

     One key problem is in the decision between PosixAccount and 
InetOrgAccount (or person?). Dependencies deny the use of a "HostObject" 
so you can put host names in there.

     Well the other day I came across the mechanism by which to add a 
schema, and put one on, anyway.  Problem is, I can't get 
pam_ldap/nss_ldap to recognize it properly.  But the hard part is 
complete, anyway.

     Do you have experience attaching things like addressbooks and such? 
Whatever decisions we make have a huge bearing on them and their 

     (And thanks for speaking up!)

  Brian Fahrländer                 Christian, Conservative, and Technomad
  Evansville, IN                              http://Fahrlander.net/brian
  ICQ: 5119262                         AOL/Yahoo/GoogleTalk: WheelDweller

More information about the ubuntu-users mailing list