Davor Ocelic <[EMAIL PROTECTED]> writes: > all users and IDs would be synced between ldap/krb/openafs.
Well, there's no syncing between krb and openafs. Kerberos stores passwords, openafs stores userid's. No overlap, so things can't get out of sync. Storing passwords in LDAP is generally agreed to be not such a great solution. So the rest of this email is really all about numeric unix userid's. > And since ldap and openafs names are exactly the same (user, > user.cgi, ..), the output from 'ls' is completely believeable. Yes, but the numeric userid for a given username might be different. This can cause problems, because "chown docelic foo" doesn't end up doing what you think it does. > does nss-ptdb cache results? I am sure that nscd does cache Yes, ncsd provides caching for nss-ptdb as well. > Why not make a small script that compares ldap and openafs > names/uids and reports any problems.. running once a day.. > ... > I see ldap as the natural place to centralise all information. Yes, but I see it as even more natural to simply avoid any possibility of desynchronization. :) I'd rather make it impossible for things to get out of sync than check daily to see if they are still in sync. Just to reiterate, we're talking about numeric userids here. I'm all for keeping everything else in LDAP (*), like for example which machines you're authorized to log in to, etc. It would be nice if AFS knew how to use LDAP for username<->userid translation. It would also be nice if LDAP knew how to use AFS for name<->userid translation. Unfortunately, the integrity of AFS's ACLs is based on the promise that a user's numeric userid cannot be changed. I think this is why it is not designed to cede control of this mapping to other services and why there is a "pts rename" but no "pts renumber". - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
