[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Perplexed
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 9 Aug 2002, Tony Earnshaw wrote:
> Assertion: Openldap is still magic, but now it's black magic.
>
> Any comments?
>
> Red Hat 7.2, much modified, kernel.org 2.4.18 ACPI and iptables.
>
> I'm perfectly happy with 2.1.3 and Berkeley 4.0, openssl 0.9.6b, PADL's
> "do-it-yourself" pam-ldap/nss_ldap kit, Exim 4.10 smtp mail server, the
> pop3 and IMAP packets that I have (think they're the latest WU versions
> without SASL, but I haven't got any further than local SSL/TLS). No
> problems.
>
> However, having learned to use GQ, slapd debugging at 5 and 256 levels,
> ethereal and strace to resolve behavior, day after day, until I've
> become blue in the face, I'm perplexed.
>
> Apart from the Berkeley database, and after having worked hours on
> /etc/ldap.conf and the /etc/pam.d configs, *nothing* about PAM/NSS that
> people here find necessary seems to be necessary for or apply to my
> configuration(s). Much that I've read from the Admin guide, golden rules
> ("*never, never, never*") just isn't true. That's why I'm asking for
> comments.
>
> Why should I find that things that others seem to accept as gospel,
> don't apply to my configurations?
>
> "Never use IP numbers for hostnames, always use FQDNs". Well, for me
> TLS/SSL only works with my IP number (127.0.0.1), not localhost. or
> 'uname -n' - the FQDN "billy.demon.nl". "Use pam_ldap for /etc/pam.d
> configs, use this, use that", etc. Well, I'm using my old Red Hat
> standard configs, and everything works - login, gdm and su. Obviously I
> need libnss*. Exclusively for the 'passwd' config do I need pam_ldap. No
> trouble in distinguishing between /etc/passwd&shadow and ldap, password
> changing with just one "type=billy" password.
>
> This is what I've done to date, since June:
>
> I only have my own test machine. However, if ldap breaks now I'm in deep
> trouble :-) I've had a couple of nasty examples that left me gasping.
> Like when I'd stopped slapd while Exim was receiving an Internet
> mailkick and wanted ldap for all user authentication. Ever seen a mail
> server wanting to send 80+ emails back (BSMTP), because it couldn't
> verify the recipients? Arrrrgh ...
>
> All local /etc/passd console and ldap logins and transactions under
> (encrypted, of course) TLS.
>
> Posix account "Virtual" users, most with mailboxes in other Internet
> domains. Almost complete integration with Ximian's Evolution for partial
> local user administration and centrally based contact database, with
> partial delegated user administration.
>
> Exim 4.10 smtp server admin with ldap-based user accounts an all mail
> aliases (/etc/aliases doesn't even exist any more) and virtual
> mailboxes. All imap and pop3 under TLS.
>
> Complete "virtual"=ldap user administration with GQ, with a
> mind-boggling wealth of info on each user (eat your heart out NIS+).
> Admin user/group (partial) administration of users and services.
>
> Automatic BDB 4 transactional log backups (thanks to Peter A. Savitch).
>
> To recap:
>
> I can do *so* much on a standard Linux machine that I'd never dreamed of
> being possible in May, that it still seems like magic. Reading, reading,
> more reading and practicing is why. But why should so much that others
> accept as gospel, be different for me?
>
> Best,
>
> Tony
>
> --
>
> Tony Earnshaw
>
> The usefulness of RTFM is vastly overrated.
>
> e-post: tonni@billy.demon.nl
> www: http://www.billy.demon.nl
> gpg public key: http://www.billy.demon.nl/tonni.armor
>
> Telefoon: (+31) (0)172 530428
> Mobiel: (+31) (0)6 51153356
>
> GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
> 3BE7B981
>
>
>
Hey, Tony.
Sun from Brazil, for everybody.
You are a very lucky man, and a suppose you worked a lot for it!
Me, i'm in deep troeble traying to make thinks work well around here.
Beeing franc, the first time i started to work with ldap, i was wondering
it could be at least better then 'Active Directory' from ms. Let's say,
a port from iplanet to the OpenSource community. I have near 6 years of
exp. in Linux, but all my brain power was not enough yet to make openldap
work for us as expected. I just can't make it work with TLS. So, i look
and browse all data trough gq and 'directory_adminitrator' but no chance
to insert or modify any content inside it. The reason is simple: i can not
log as manager in ldap to make things happen.
The last version of ''migration-tools' simply din't work for me,
forcing us to downgrade to the previous openldap version. Im in trouble
now. Any change i could think about in config of slapd, ldap.conf and
pam.d was donne, without any success, just the old adaggio: 'ldap_bind:
Invalid credentials'
What the black magic did you find to make things happen? There is
already 2 weeks of work, for nothing! I'm at the point to give up about
all this shift (without the 'f').
Thank you so much. I'm new in the list, and i appreciate your
strong skeel with openldap, maybe you could help us to make thinks came a
little bit painless for us.
But not last: what the address of the previous sended messages to
our list? I cant find it! Is it faq-o-matic?
- --
end
I wish you have a good day,
and a nice work donne with GNU-Linux.
Tenha um bom dia e um ótimo trabalho com linux
Fui!
====================<<<<<< * >>>>>>>====================
=========== Renato Q. Salles UIN 143517540 ===========
=========== Linux Registered User nº 217696 ===========
====================<<<<<< * >>>>>>>====================
/"\
\ / Campanha da fita ASCII - Contra mail HTML
X ASCII ribbon campaign - Against HTML mail
/ \
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9VDMs7m5526AiZG0RAh9XAJ9oMfElqC5YDnTVm7MQuF39vI2C2wCfYQ4T
AqD/sWWRZMj05PKZN66LhYk=
=YAfm
-----END PGP SIGNATURE-----
- References:
- Perplexed
- From: Tony Earnshaw <tonni@billy.demon.nl>