After playing with various options on this for the past couple of months, I'd recommend a combination of kerberos and LDAP, rather than LDAP alone. pam_kerberos seems to work better than pam_ldap, and the security should be better. I have an RPM for pam_kerberos, and I'm working on one for the Kerberos 5 server.
Originally, when this issue came up here, I recommended NIS, but LDAP/AD is a strategic direction here. That's why Kerberos came up eventually. In testing, I've found the combination works well. Along the way, someone actually showed me a scheme used in some AIX installations that uses a product similar to rsync to pass the actual /etc/passwd file around between systems. Pretty bizarre. > -----Original Message----- > From: Rob van der Heij [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 08, 2003 10:10 AM > To: [EMAIL PROTECTED] > Subject: Re: [LINUX-390] Cloning users from one system to another > > > At 15:48 08-01-03, Post, Mark K wrote: > > >Would you be willing to write up the details for inclusion > on the HOWTOs > >page? > > Note that some of this is also in the "Large Scale" Redbook > (but if it were enough then I would not have spent so much > time on it). > As I say "some planning ahead is..." which means I will throw > my LDAP database away and start all over again ;-) After > that I'll get something on paper. > > Rob >
