[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldap] NIS, DCE and /etc/passwd replacement



If you setup Sun Directory Server (comes with Solaris) with PosixAccount,
ShadowAccount, top, and I think that is it.

Give people a 
uid
uname
gid
gecos
passwd
shell
homedir

and then you should be able to do this on your SGI

pwconv	(make IRIX shadow aware)
add ldap for password and group entries for /etc/nsswitch.conf (instead of
files or nis)
modify your /etc/ldap.conf (or in IRIX case, it's /var/ns/ldap.conf) to
use your LDAP server information.

I'm working on a document and how-to on this but won't have it done for a
while...


> 
> On May 26, 10:58am, Mike Douglass wrote:
> > Subject: [ldap] NIS, DCE and /etc/passwd replacement
> > Currently we are using all of the above on AIX, Solaris, linux and Irix and
> > would like to replace all methods with ldap. As a complication we also need
> > AFS authentication to take place (I know that's nothing to do with ldap but
> > some of the solutions may assume a local file system)
> >
> > Ideally, the authentication mechanism should make an anonymous connection
> > to the ldap server (after all, /etc/passwd is world readable anyway).
> >
> > We're about to try reconfiguring some sgi machines but I haven't been able
> > to find appropriate schema definitions. Has anybody done any or all of the
> > above?
> > Mike Douglass		douglm@rpi.edu
> >-- End of excerpt from Mike Douglass
> 
> I'm currently setting up a directory server to replace passwd and shadow files
> on IRIX. For the password file this is rather straigthforward: The objectclass
> posixaccount has all the attributes needed. I only ran into a spot of trouble
> with the shadow passwords. I can configure Irix' nsd so that shadow passwords
> are lookup up through ldap. Nsd's 'filesystem' even has 0600 permissions for
> the shadow map, as you would like. Then I configured the acl's on the directory
> to prevent the shadow passwords from being world-readable via the directory.
> This had the interesting effect of everybody being able to login to any account
> served up by the directory without even being asked for a password! Some
> debugging learned that nsd's bind failed, so that the query for a shadow
> password was being done as an anonymous user who of course had no permissions
> to read it, and an empty string was returned. Unfortunately, an empty string
> means 'no password' to login... I believe that the bind failed because nsd does
> an ldap v3 bind which is not ( yet ) understood by OpenLDAP. So now I'm
> configuring the IPlanet server to see if that will serve us better.
> 
> Gerard Ranke
> 
> network administrator
> Utrecht School of Arts
> 
> 
> -- 
> 
> 
> 


<(/|\-/|\-/|\-/|\-/|\/-\|/-\|/-\|/|\-/|\-/|/-\|/|\-/|\-/|\/-\|/-\|/-\)>

   Sellers , Chris G.		
   Scientific Programmer Analyst 	
    Information & Instructional Technology 
    Oakland University - Rochester, Michigan 48309-4401	
    Phone: (248) 370.2016    FAX: (248) 370.4251