[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Sync /etc/passwd
Good, but how can I leave the /etc/passwd in ldap-server, so the
diskless-login will search on ldap-server,
Ivo Clarysse wrote:
>
> On Mon, 21 Feb 2000, Claudio Miranda wrote:
>
> > Dear all, like to know if ldap can synchronize /etc/passwd along the
> > clients like (arghh!) winnt do, I just depend this to begin a good
> > diskless solution, that after I will post here.
>
> If you let the clients authenticate themselves using LDAP (for example,
> with pam_ldap on Solaris or Linux), you don't need to do this.
>
> If you insist on local copies in /etc/passwd, a simple solution is
> te let each client periodically generate a new /etc/passwd from the
> information in LDAP. Updates to the LDAP tree will only be reflected
> _AFTER_ the client has updated its /etc/passwd; in many cases this is
> acceptable (ie. changing a user's password on the LDAP server will not
> have an immediate effect on the client machines).
>
> This perl script retrieves user accounts from LDAP and creates
> /etc/passwd.ldap and /etc/group.ldap files (it assumes RedHat-style
> user-private groups). These should then be merged with
> /etc/(passwd|group).local, containing the clients' accounts which
> are not in LDAP (for example root, bin, lp, sync, shutdown,
> halt, mail, news, ... system user accounts might not be defined in LDAP)
>
> (I use this script to periodically generate passwd/group files which
> are then pushed to a NIS server, smoothing the migration from NIS
> to LDAP; it might have to be adapted to the schema you use)
>
> ------------
> #!/usr/bin/perl
> # This script should only be readable by root, as it contains the
> # LDAP rootdn password
> $ldapserver = 'ldap.mydomain.com';
> $base_dn = 'dc=mydomain,dc=com';
>
> $groupfn='/etc/group.ldap';
> $passwdfn='/etc/passwd.ldap';
> use Net::LDAP;
>
> $users='';
>
> $ldap = Net::LDAP->new($ldapserver) or die "$@";
>
> # Bind with rootdn, because we need read access to userpassword
> $ldap->bind (
> dn => 'cn=root, dc=mydomain, dc=com',
> password => 'secret' # Replace with LDAP rootdn passwd
> );
> $mesg = $ldap->search ( # Users are:
> base=> 'ou=People,'.$base_dn, # uid={userid},ou=People,dc=mydomain,dc=com
> scope => one,
> filter => "(objectclass=posixAccount)"
> );
> $mesg->code && die $mesg->error;
>
> open(PASSWD,">$passwdfn");
> open(GROUP,">$groupfn");
>
> foreach $entry ($mesg->all_entries) {
> print PASSWD $entry->get('uid'); print PASSWD ":";
> $passwd=sprintf "%s", ($entry->get('userpassword')) ;
> ($junk, $passwd) = split(/{crypt}/,$passwd);
> # Assumes locked users have '{crypt}*[...]' in userpassword
>
> print PASSWD $passwd; print PASSWD ":";
> print PASSWD $entry->get('uidnumber'); print PASSWD ":";
> print PASSWD $entry->get('gidnumber'); print PASSWD ":";
> print PASSWD $entry->get('gecos'); print PASSWD ":";
> print PASSWD $entry->get('homedirectory'); print PASSWD ":";
> print PASSWD $entry->get('loginshell');
> print PASSWD "\n";
>
> $ulgroup=sprintf "%s::%s:\n",$entry->get('uid'),$entry->get('gidnumber');
> print GROUP $ulgroup;
> if ($users eq '') {
> $users =sprintf "%s",$entry->get('uid');
> } else {
> $users .= sprintf ",%s",$entry->get('uid');
> }
> }
> $ldap->unbind;
>
> print GROUP "users::100:",$users,"\n";
>
> close PASSWD;
> close GROUP;
> ------------
>
> -------------------------------------------------------------------------
> Ivo Clarysse <soggie@starlab.net> TEL +32-2-7400788 FAX +32-2-7429654
> Research Scientist Starlab - http://www.starlab.org/
> PGP ID: 0x50154325 // A0A0 EDBC 37B2 C574 CC4D F1F0 FF94 04B9 5015 4325