On Wed, Feb 21, 2007 at 04:54:25PM -0500, Cory Albrecht wrote:
> Marc Balmer wrote:
> >Cory Albrecht wrote:
> >>I'm trying to get my OpenBSD firewall to authenticate normal user
> >>accounts off of an LDAP server running on a different machine.
>
> >On a side note, you are aware that you must create the accounts
> >locally as well for things to work properly? It is not enough
> >to have the accounts in LDAP only.
>
> So, you're saying that if I had an organization with 100 OpenBSD
> desktops (and associated typical file /print/etc servers), that I would
> have to create every new login on *each* of those 100 desktops in
> addition adding it to the LDAP server every time we got a new employee?
> Or would have to remove an account from each individual workstation each
> time somebody left?
>
> Then what's the point of having a centralized login administration
> system? Useless and unnecessary extra work for a sysadmin, IMHO. That
> wouldn't exactly be a pro-adoption point.
That's true. Then again, I've never had any problems with my home-hacked
solution that just cats a couple of /etc/master.passwd.something files
together, and then runs the appropriate 'compilation' commands.
You do have to know how to avoid possibly very nasty password database
corruption, though (i.e. don't try to run two in parallel, there's a
reason vipw exists and is so very careful).
Joachim
