Re: [Oscar-devel] OSCAR & LDAP : opium

Jason B. Fri, 04 Apr 2003 09:27:30 -0800

I have a question about all the different setups... why not just install LDAP/NIS/NIS+ clients on the compute nodes? That way, their local copies of /etc/passwd, and the rest are the same as the server (which seems to be the desired case), but they still can use LDAP/NIS/NIS+ logins as intended.

Jason

In this context, there two main alternatives :

1) Set up an LDAP (NIS, NIS+, ...) on the master node so that nodes can
   connect to it and obtain their authentification from this source.

This involved several actions :

    1) mirror your existing authentification mechanism and set up a
       master-slave relation with your existing infrastructure (LDAP, ...)

2) modify the PAM mechanism for all the nodes

Point 1) is not trivial at all ;-)))


2) Set up your master node as LDAP (NIS, NIS+, ...) client from your
    existing service and synchronize the nodes with this information
    with the existing opium mechanism.

This involves only minor changes :

        1) Set up the server as a client of the authentification service
           (LDAP in this case)

        2) Modify a bit the opium procedure so that it uses the
           authentification data obtained from getent (ie PAM) instead of
           the one from the files of the master node.

We choose the second solution which integrate more nicely in an existing
infrastructure.


As a consequence, we can't copy the /etc/passwd file of the master node
and we have to copy the data obtained from getent which is put into
alternate files, namely
/opt/opium/(passwd|group|shadow)

Indeed, those files and the master node one are very different : those
from the master node contain only local account info while the one in
/opt/opium contain the aggregated information from PAM meaning
local account + LDAP (NIS, NIS+, ....).

In the case where there is no external source of authentification then
the files are equals. We can even ignore the shadow file as all loggin
is made with the SSH key exchange ;-)


With the proposed patch, we will have support for all past, present and
future PAM based authentification from simple passwd files to complex
mix of passwd, LDAP, NIS, ...

I believe this is a very versatile add-on to OSCAR which require a
minimal effort for a quick integration into an existing autentification
infrastructure.

Comment, questions ?

Ben
--
Benoit des Ligneris                Etudiant au Doctorat -- Ph. D. Student
Web :                                     http://benoit.des.ligneris.net/
Mydynaweb Developpe(u)r:                            http://mydynaweb.net/
Centre de Calcul Scientifique                  http://ccs.USherbrooke.ca/

OSCAR Symposium-May 11-14 http://oscar2003.ccs.USherbrooke.ca/


-------------------------------------------------------
This SF.net email is sponsored by: ValueWeb:
Dedicated Hosting for just $79/mo with 500 GB of bandwidth!
No other company gives more support or power for your dedicated server
http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/
_______________________________________________
Oscar-devel mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/oscar-devel

------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Oscar-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/oscar-devel

Re: [Oscar-devel] OSCAR & LDAP : opium

Reply via email to