Peter Tribble wrote:
I found Ben's poll interesting:
http://www.cuddletech.com/blog/pivot/entry.php?id=1094
although I would have to step back a pace and ask - "What
Naming Service"? Because it's not entirely obvious to me
that a directory server is an optimal answer (it may be the
best, but I don't find it optimal).
Now I've used standard Name SErvices - NIS and NIS+ -
extensively, and have done a lot of work on LDAP.
NIS:
Pretty easy to set up, limited functionality beyond the basic,
data management facilities are crude, scales poorly.
It's also horribly insecure, exposing the raw crypts to everyone unless you
turn on C2 security (which itself is only as secure as binding to a low port).
LDAP:
More demanding of resources. While LDAP itself is easy to set
up, actually configuring it to work correctly is a bear. Scales
well, excellent interoperability, but data management facilities
are primitive to non-existent.
In the past I've loved NIS+ due to its excellent data management
facilities (basically, you can query/modify any field with complete
API and CLI control).
So I'm spending more time with LDAP, and I'm hating it. Sure, I
can generate LDIF and feed it in, but it seems such a kludge,
and correct configuration seems far too difficult.
Solaris' LDAP client is quite idiosyncratic - eg you can't perform the usual
anonymous bind and search for the DN, then disconnect and rebind with the
found DN and provided password, which is how things work with PADL's
pam_ldap. Instead, Solaris' native pam_ldap doesn't disconnect, and so you
have to use a proxy account to search with, as you can't perform an
authenticated rebind if you're bound anonymously.
Actually, that's not true, you can do it but it's not documented apart from
the sparks-discuss archives:
http://mail.opensolaris.org/pipermail/sparks-discuss/2007-July/000221.html
More generally, there's a bunch of choices you have to make when using LDAP,
it's flexibility is also its undoing in some respects. Do you want simple
binds with TLS, SASL or Kerberos? Samba support? How about using it as an
address book too?
http://www.andrelop.org/blog/2009/11/14/public-service-announcement-a-ldap-directory-wont-do-it-all-by-itself/
Having said that, I think there is a common baseline that's a good starting
point, which I've tried to document http://wiki.ucc.asn.au/LDAP/LazySysadmin
It's Linux and OpenLDAP specific and the LDAP Basics and Solaris client
sections need work, but hopefully you'll find it useful. Feel free to edit
it if it's not clear, I've put it on a wiki for a reason.
For starters, is there a complete and accurate guide to setting up
(say) OpenDS and configuring it as a Solaris nameservice (because
I haven't found anything even remotely helpful or accurate).
Does this guide have the information you need?
http://developers.sun.com/identity/reference/techart/opends-namesvcs.html
http://developers.sun.com/identity/reference/techart/opends-namesvcs2.html
And then, how do people manage data inside LDAP? Is writing your
own LDIF really the answer?
There's a few good tools - ldapvi and shelldap are great terminal utilities,
and of the GUIs I think Apache Directory Studio is the best.
http://www.lichteblau.com/ldapvi/
http://projects.martini.nu/shelldap
http://directory.apache.org/studio/
--
James Andrewartha | Sysadmin
Data Analysis Australia Pty Ltd
_______________________________________________
sysadmin-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss
