On Thu, Nov 19, 2009 at 1:24 AM, James Andrewartha <jam...@daa.com.au> wrote: > Peter Tribble wrote: >> >> I found Ben's poll interesting: >> >> http://www.cuddletech.com/blog/pivot/entry.php?id=1094 >> >> although I would have to step back a pace and ask - "What >> Naming Service"? Because it's not entirely obvious to me >> that a directory server is an optimal answer (it may be the >> best, but I don't find it optimal). >> >> Now I've used standard Name SErvices - NIS and NIS+ - >> extensively, and have done a lot of work on LDAP. >> >> NIS: >> >> Pretty easy to set up, limited functionality beyond the basic, >> data management facilities are crude, scales poorly. > > It's also horribly insecure, exposing the raw crypts to everyone unless you > turn on C2 security (which itself is only as secure as binding to a low > port). > >> LDAP: >> >> More demanding of resources. While LDAP itself is easy to set >> up, actually configuring it to work correctly is a bear. Scales >> well, excellent interoperability, but data management facilities >> are primitive to non-existent. >> >> In the past I've loved NIS+ due to its excellent data management >> facilities (basically, you can query/modify any field with complete >> API and CLI control). >> >> So I'm spending more time with LDAP, and I'm hating it. Sure, I >> can generate LDIF and feed it in, but it seems such a kludge, >> and correct configuration seems far too difficult. > > Solaris' LDAP client is quite idiosyncratic - eg you can't perform the usual > anonymous bind and search for the DN, then disconnect and rebind with the > found DN and provided password, which is how things work with PADL's > pam_ldap. Instead, Solaris' native pam_ldap doesn't disconnect, and so you > have to use a proxy account to search with, as you can't perform an > authenticated rebind if you're bound anonymously. > > Actually, that's not true, you can do it but it's not documented apart from > the sparks-discuss archives: > http://mail.opensolaris.org/pipermail/sparks-discuss/2007-July/000221.html
That's not entirely accurate. IIRC, the native ldap client (I think is called ldap2 internally since the original version was more simplistic), would always use either anonymous binding or a proxy entry to locate a user's DN (depending on the client profile). This is documented whatever book the LDAP client configuration is in on docs.sun.com (naming services guide?). However, there was a bug that broke this which has since been fixed. Unless you are running Solaris 10 that hasn't been patched in the past 12-18 months (or more), or an extremely ancient version of SXCE, it should be fixed. > More generally, there's a bunch of choices you have to make when using LDAP, > it's flexibility is also its undoing in some respects. Do you want simple > binds with TLS, SASL or Kerberos? Samba support? How about using it as an > address book too? > > http://www.andrelop.org/blog/2009/11/14/public-service-announcement-a-ldap-directory-wont-do-it-all-by-itself/ > > Having said that, I think there is a common baseline that's a good starting > point, which I've tried to document http://wiki.ucc.asn.au/LDAP/LazySysadmin > It's Linux and OpenLDAP specific and the LDAP Basics and Solaris client > sections need work, but hopefully you'll find it useful. Feel free to edit > it if it's not clear, I've put it on a wiki for a reason. > >> For starters, is there a complete and accurate guide to setting up >> (say) OpenDS and configuring it as a Solaris nameservice (because >> I haven't found anything even remotely helpful or accurate). > > Does this guide have the information you need? > http://developers.sun.com/identity/reference/techart/opends-namesvcs.html > http://developers.sun.com/identity/reference/techart/opends-namesvcs2.html Unfortunately, those are rather outdated. For example, I didn't see any information on creating the necessary indexes (you at least need the vlv indexes for certain things to work right), and the rfc2307 schema has been included with opends for a while now, and you don't want to try to add it in. > >> And then, how do people manage data inside LDAP? Is writing your >> own LDIF really the answer? > > There's a few good tools - ldapvi and shelldap are great terminal utilities, > and of the GUIs I think Apache Directory Studio is the best. > > http://www.lichteblau.com/ldapvi/ > http://projects.martini.nu/shelldap > http://directory.apache.org/studio/ > > -- > James Andrewartha | Sysadmin > Data Analysis Australia Pty Ltd > _______________________________________________ > sysadmin-discuss mailing list > sysadmin-discuss@opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss > _______________________________________________ sysadmin-discuss mailing list sysadmin-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/sysadmin-discuss
