[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Centralized LDAP Authentication or Kerberos+LDAP Authentication



> You may view them at:
> http://web.singnet.com.sg/~garyttt/

Thanks for contributing what you're learning, but don't follow these
directions in a production environment.

Your init script, like redhat's, stops the server with kill -9. Especially
with a bdb backend, this will corrupt your dababase and cause master and
slave to get out of sync. (RedHat's ldap.init is mostly ok with openldap
2.0.27/ldbm, to the limited extent that openldap 2.0.27/ldbm is ok. With
2.2.x/bdb, though, you need to use -HUP or at most -TERM.)

You don't mention DB_CONFIG. If you add a nontrivial number of entries, the 
server will fail without one.

Overwriting redhat's openldap, openssl, and db4 libs in /usr is likely to
cause programs linked with the stock versions, such as sendmail, to crash
at some point. Either rebuild the whole system or segregate in /opt or
/usr/local.

It is not safe to use MIT kerberos in multithreaded applications 
like openldap without patches.
-- 
Rich Graves <rcgraves@brandeis.edu>
UNet Systems Administrator