topic user management - LDAP and local files in Operating System - Linux

user management - LDAP and local files

A.K. — Wed, 14 Jan 2009 16:58:14 GMT

I am implementing LDAP on Linux based system using openldap.
My management objects to the idea that all individual users will authenticate against an LDAP server because “what if it is not available”
Their suggestion is that we run in parallel a set of local configured users and a set of LDAP configured users and both methods can coexist without conflicts.
I think it is a very bad idea but I cannot think of any good justification why it should be the case.
Besides the obvious that it is going to be very hard to maintain two separate methods for user management on multiple servers (about 20) and that it can create confusion when creating new users or disabling users.
I will appreciate any argument either way.
Thanks,
A.K

Re: user management - LDAP and local files

Ciro Iriarte — Wed, 14 Jan 2009 17:29:26 GMT

Well, it's a bad idea... What about keeping track of password changes?, passwords won't be synchronized between LDAP and /etc/shadow.

You can setup a second LDAP server (with synchronization) for High Availavility.

Other approach would be to create all the generic accounts locally (the ones used to run applications) which are often the more cricital and leave all the regular/real users on LDAP.

Re: user management - LDAP and local files

A.K. — Wed, 14 Jan 2009 17:41:11 GMT

Just to clarify,
We have a cluster for the LDAP server and we have high availability.
Also, generic users that are required by the application or the database will stay on the local files.
I am talking about having some individual users managed locally in /etc/shadow and some using the LDAP server â no synchronization between the two.
I know it sounds a horrible idea but I need to come up with some strong arguments to convince my â old fashionedâ management.
thanks,
A.K

Re: user management - LDAP and local files

Ivan Ferreira — Wed, 14 Jan 2009 18:21:33 GMT

Â¿Don't they ever used Active Directory for the Microsoft Network?

The user account centralization, and UID/GID consistency are the major benefits of a Directory Server.

You can also add centralized security policies using LDAP server, like LDAP SUDO rules.

If you will have different local and ldap accouns, besides the administrative complexity there is no other problem.

Another argument is that without the use of LDAP, your users must follow the account policy rules on each server, having to change their information on all servers if required.

>>> â what if it is not availableâ

You must desmostrate the high availability of the service. You can also say that the name service cache daemon can help you in that case.

Re: user management - LDAP and local files

IT Csar — Thu, 15 Jan 2009 00:59:43 GMT

you can setup replication between LDAP master and slaves, and have more than one LDAP for domain/s

file://localhost/home/obrodkin/.mozilla/firefox/opirgk71.default/ScrapBook/data/20081031170459/index.html#listing18

Re: user management - LDAP and local files

skt_skt — Sun, 18 Jan 2009 14:48:51 GMT

I would aslo recommed second LDAP server (mandatory as otherwise there would be a SPOF)and having local users for applications like oracle,applmgre and any other service account.

Re: user management - LDAP and local files

Fredrik.eriksson — Mon, 19 Jan 2009 14:48:02 GMT

Wouldn't it be a good idea to use offline authentication for ldap if your users are worried about your ldap auth source being down?

Google has alot of info on this subject. I've never done it manually, SuSE supports this via installer.

Best Regards
Fredrik Eriksson