[SATLUG] SOHO LDAP
dkowis at shlrm.org
Sun Jan 24 23:13:04 CST 2010
-----BEGIN PGP SIGNED MESSAGE-----
On 1/24/2010 2:15 PM, Frank Huddleston wrote:
> Has anyone here implemented a multi-computer configuration using
> LDAP? If so, I'd like to hear about it.
I have yes. I've set up a windows domain controller running samba at
work. LDAP backed, first using SMGL and second using Fedora and Xen. I
took one box, virtualized it so I could have multiple "redundant"
servers. (I know if the hardware fails I'm toast, but then we'd be toast
anyway, at least with virtualized servers, I can update one box without
risk of bringing down the entire authentication framework.) The
virtualization worked out quite well, I could take the master LDAP
server down for an update, and windows users could still authenticate,
if not change their passwords. I set up nagios to monitor the various
services I had running (on yet another virtual machine) so that I could
look at a single picture for the health of my network. Which is good,
because this wasn't my "primary responsibility." Being a software
engineer the company didn't see that I should be given much time to set
up the network, yet they expected it to be "secure." Maybe I have too
lofty a definition of secure, but it involves log correlation and
services monitoring. Takes time to set up, time I wasn't allowed, so I
did the best I could with the time I had. (sorry, got into a rant. I
could delete it from the email, but it helps describe the background as
to why I did things the way I did.)
I used the smbldap scripts to add and delete users
I think has the relevant information.
> I remember about 1999-2000, Novell was sellling a kind of LDAP
> application that would do pretty much what the MS Active Directory does,
> but with a more eclectic set of clients. I don't know what happened to
> that: do any of you?
> I think I heard that Red Hat might also have some kind of application
> like that, and of course there is Active Directory, but that does
> require MS computers
> to run it, and I don't know how well it works with non-MS clients.
Redhat's fedora equivalent is the Fedora Directory Server:
I haven't used it, but it's a package deal (or so it claims)
I set up the ldap servers at work by hand, since I had set them up by
hand in SourceMage and I was trying to reuse the configurations I had
prior. That worked for the most part. I had about 6 or 7 users, and
several things that they needed to authenticate against. Windows logins
for one, backuppc, and a couple other services. With LDAP I was able to
wrangle authentication against the LDAP server for just about everything.
> I think Apple's OS X server uses some kind of LDAP directory, but,
> being OS X Server, is rather expensive, and expected to run on a Mac.
> A few years ago, I tried something that was called the "NetInfo Bridge",
> which was an application that was designed to allow interoperability
> between the OS X NetInfo, which is (or was?) some kind of quasi-LDAP
> system, and LDAP, in this case Open LDAP, I think. I had compilation or
> installation problems with my version of
> OS X, which by then I think was not the latest, and I think the NetInfo
> had changed some between the OS X releases. I messed with it for a
> while, then went on to other things, as so often happens.
> So, I often hear people suggest using LDAP when I ask these
> multi-computer configuration and management issues, but now I'm asking:
> have any of you actually implemented such a thing, and if so, please
> tell me/us about it.
I have LDAP at home, but I need to rework it a bit. It's quite handy to
set up the same user account on many systems. Same with groups.
It can operate with single system groups as well. like I have a local
account for the Wii to use for homebrew smb access. But it needs access
to a group that's in LDAP. So I just add the wii user to that group in
ldap. `getent group` shows correctly and accurately.
It takes more planning and a bit more effort to configure, so it depends
on what your exact situation is.
If there are more specific questions regarding how I set thigns up or
why I did it the way I did, I'll try to answer them.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
-----END PGP SIGNATURE-----
More information about the SATLUG