At 02:27 08-01-03, John Summerfield wrote: >Rather than using those files, best to coordinate the information with the yp* >packages or (possibly, I've not investigated it) an LDAP server or >equivalent.
Been there... After spending a lot of time reading the various HOWTO files and other conflicting and outdated stuff, I think I got the various bits and pieces work together now. I like it. My LDAP server defines users and groups and passwords. Since we want to use cryptographic keys instead of passwords I use autofs to mount the user's home space into the system where he logs on, so sshd picks up the .ssh/authorized_keys and authenticates the logon. Root access is through sudo, where again LDAP defines who is in the group that can use sudo. There's still a bunch of other services that I need to check with LDAP authentication. Some planning ahead is good if you want to do this when systems are slightly different. A properly defined hierarchy in LDAP should allow for granularity in access control that you need to manage diversity. And there's things like fallback and performance to care about. Rob
