Re: A Mix of LDAP and non-LDAP Users
On Monday, January 10, 2011 06:50:22 pm you wrote: Is it possible to have a mix of both LDAP-authenticated and locally-authenticated users on the same Linux system? The LDAP Server that would be accessed is either a Windows Active Directory or a Novell Meta-Directory Server. I'm not sure which is actually being used today. Others have answered this, but there's a couple of points I'd like to add: 1) You should *always* make your root user a local user (defined in /etc/passwd). If you don't and there's a network problem, you won't be able to log in. This implies that /etc/nsswitch should always list files as a service for the passwd, shadow and group databases. 2) Lookups from Active Directory can require several searches to wade through Microsoft's forest of directory entries. If your link to the AD server is slow (as on some of my remote systems), lookups can take several seconds. This isn't bad on logins, but you're also doing lookups every time you have to translate a UID to a user name, which means every ls -l or ps command does these lookups. If performance is bad, run the Name Service Cache Daemon (nscd) by doing service nscd start insmod nscd. This will speed things up again for you. - MacK. - Edmund R. MacKenty Software Architect Rocket Software 275 Grove Street - Newton, MA 02466-2272 - USA Tel: +1.617.614.4321 Email: m...@rs.com Web: www.rocketsoftware.com -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: A Mix of LDAP and non-LDAP Users
On 1/10/2011 at 06:50 PM, David Stuart david.stu...@ventura.org wrote: LDAP has been mentioned for authenticating users. I can't seem to find anything in the manuals, but may very well be looking in the wrong places. Is it possible to have a mix of both LDAP-authenticated and locally-authenticated users on the same Linux system? As others have answered, it should be possible. Look at YaST - Security and Users - User and Group Management - Authentication Settings. The Authentication Settings is one of the choices along the top of the panel. Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
A Mix of LDAP and non-LDAP Users
Afternoon, New admin here. I am configuring a SLES 11 SP 1 system. LDAP has been mentioned for authenticating users. I can't seem to find anything in the manuals, but may very well be looking in the wrong places. Is it possible to have a mix of both LDAP-authenticated and locally-authenticated users on the same Linux system? The LDAP Server that would be accessed is either a Windows Active Directory or a Novell Meta-Directory Server. I'm not sure which is actually being used today. Thanks, Dave Dave Stuart Prin. Info. Systems Support Analyst County of Ventura, CA 805-662-6731 david.stu...@ventura.org -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: A Mix of LDAP and non-LDAP Users
On 11 January 2011 12:50, David Stuart david.stu...@ventura.org wrote: Is it possible to have a mix of both LDAP-authenticated and locally-authenticated users on the same Linux system? That should be pretty much default; check /etc/nsswitch.conf Look for passwd, shadow groups; if they say XXX files ldap you're already there in regards to the mix. The system will first check for users locally, then in LDAP. The LDAP Server that would be accessed is either a Windows Active Directory or a Novell Meta-Directory Server. I'm not sure which is actually being used today. Not sure how SuSE handles LDAP, but there might be a /etc/ldap.conf file ? Thanks, Dave Cheers, Andrej -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: A Mix of LDAP and non-LDAP Users
Thanks Andrej, That gives me hope. I haven't gotten so far as to actually configure the LDAP client yet. I didn't want to 'break' what was currently working. Dave Dave Stuart Prin. Info. Systems Support Analyst County of Ventura, CA 805-662-6731 david.stu...@ventura.org Andrej andrej.gro...@gmail.com 1/10/2011 4:25 PM On 11 January 2011 12:50, David Stuart david.stu...@ventura.org wrote: Is it possible to have a mix of both LDAP-authenticated and locally-authenticated users on the same Linux system? That should be pretty much default; check /etc/nsswitch.conf Look for passwd, shadow groups; if they say XXX files ldap you're already there in regards to the mix. The system will first check for users locally, then in LDAP. The LDAP Server that would be accessed is either a Windows Active Directory or a Novell Meta-Directory Server. I'm not sure which is actually being used today. Not sure how SuSE handles LDAP, but there might be a /etc/ldap.conf file ? Thanks, Dave Cheers, Andrej -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
Re: A Mix of LDAP and non-LDAP Users
On 1/10/11 5:50 PM, David Stuart wrote: Afternoon, New admin here. I am configuring a SLES 11 SP 1 system. LDAP has been mentioned for authenticating users. I can't seem to find anything in the manuals, but may very well be looking in the wrong places. Is it possible to have a mix of both LDAP-authenticated and locally-authenticated users on the same Linux system? The LDAP Server that would be accessed is either a Windows Active Directory or a Novell Meta-Directory Server. I'm not sure which is actually being used today. Thanks, Dave Should be no problem at all. Both our SLES and RHEL boxes use LDAP, and have a few local accounts. The split we make is to have application accounts (e.g. oracle, apache, etc) and other accounts that have no password local and real people's accounts on LDAP. There's a very few exceptions, but this works pretty well for us overall. Make sure that whatever LDAP service you are using has the Posix attributes added to your accounts (objectclass posixAccount mostly) and pre-populated. Also make sure that you have no uid/gid conflicts in LDAP or between LDAP and local accounts. I recommend allocating uid's in LDAP by a program for consistency, and starting somewhere up high enough that there's no worries of conflict (2 million or so works well). You're also may want some mechanism to provision specific users from LDAP to specific servers, depending on the size of your shop. At least in our environment we don't want to automatically allow every single employee access to all servers. We use the optional filters on service search descriptors for this (the 5th field of nss_base_passwd and nss_base_user attributes). Good luck! Feel free to contact me offlist if you'd like more specific advice. -- Pat -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 -- For more information on Linux on System z, visit http://wiki.linuxvm.org/
