On Wed, Mar 28, 2007 at 03:41:27PM -0700, Adam Megacz wrote: > > Also, now that we are running libnss-ptdb, there is no longer any need
Aha, you installed it.. > to create entries in /etc/passwd. I've removed the "megacz" user from > deleuze:/etc/passwd, and everything still works fine (note: we should Yes, sure. We wanted to use LDAP to pull user/group info from it (and later all other user-related data). So the plan has always been to not need /etc/passwd except for local admin accounts, which we want to work even in case when afs/kerberos or ldap is down. admin accounts = local files, user accounts = ldap + krb+afs. (look at /etc/nsswitch.conf - it's modified appropriately.) The modifications I've made to the script were also along the same lines.. all users and IDs would be synced between ldap/krb/openafs. Regardless of libnss-ptdb, this is a nice thing to have. And since ldap and openafs names are exactly the same (user, user.cgi, ..), the output from 'ls' is completely believeable. does nss-ptdb cache results? I am sure that nscd does cache database information (that's its primary function, and I have also verified that connections to ldap are not being made after the first call). So as long as names/uids match between ldap and openafs (which we want to), maybe the approach without libnss-ptdb is smoother. > use some other mechanism such as pam to restrict logins on deleuze). Yes, we already use it. In the scheme where we use ldap and pam_ldap module, I've enabled check_host_attr in pam config files, so login is allowed to machines which are listed in user's host: attribute. (So in general, each user would have host: mire and host: abulafia (when we put it on peer1) in their ldap entry). (This is one thing that I forgot to add into the LDIF within create-user script - will add). > In fact, I recommend we adopt a policy of never adding an entry to > /etc/passwd on any of hcoop's machines if a corresponding AFS identity > exists -- this runs the risk of them falling out of sync. Yes, ah I see your point now. But I think it's hurting us in the long run. Why not make a small script that compares ldap and openafs names/uids and reports any problems.. running once a day.. Somehow I see ldap as the natural place to centralise all information. The fact that openafs keeps a separate user/id database is unfortunate for all sites who have broader infrastructure in mind. So we should look at openafs as just "this thing" with a database that has to be kept in sync with ldap; not as something that we want to use standalone. What do you think? _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
