> > I'd recommend you use LDAP > > - if machines are widely distributed around the world (ala debian.org) then > you'll probably be better off generating and distributing /etc/passwd (and co) > so that authentication isn't tied to some machine in greenland when you are > in brisbane.
Actually, LDAP excells at that particular configuration. Run an LDAP server on each machine that replicates from the main server. Authenticate using LDAP to the localhost LDAP server. You can use replication filters to keep the size of the database small (eg: no need to relicate mailing list memberships or other entries that can't log in). If you have different groups of users in Greenland and Brisbane, then set /etc/ldap.conf so that users in Greenland need to be in the LDAP group users-gn and the users in Brisbane in the group users-au-bri. I do this on my laptop. It impresses MS users no end that any AARNet staff member can log into my laptop with their current password, even when my laptop isn't connected to the network. Equally impressively, you can join LDAP trees -- so both AARNet staff members and my family can have accounts on the notebook; but without AARNet staff being able to log into other machines on my home network, or other users of my home network being able to log into the AARNet machines. All that's needed is an agreement to prevent clashes of user and group IDs (both alpha and numeric). LDAP does have problems, and highest on this list is that until recently there was no way of maintaining the password as a list of multiple hashes (say SSHA and MS-MD4). Thus protocols like SMB were hard to authenticate from LDAP. This has slowly improved. LDAP also has a significant learning curve, with a new set of jargon, etc. There's also a lack of good graphical tools. You don't need the tools to add accounts (just use the standard useradd, passwd, etc) but you do need them to get the maximum value out of LDAP as a directory. -- Glen Turner Network Engineer (08) 8303 3936 Australian Academic and Research Network [EMAIL PROTECTED] http://www.aarnet.edu.au/ -- The revolution will not be televised, it will be digitised -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
