HPE Community
Operating System - Linux
1753521 Members
4798 Online
108795 Solutions
New Discussion юеВ

Re: user management - LDAP and local files

 
A.K.
Frequent Advisor

тАО01-14-2009 08:58 AM

тАО01-14-2009 08:58 AM

user management - LDAP and local files

I am implementing LDAP on Linux based system using openldap.
My management objects to the idea that all individual users will authenticate against an LDAP server because тАЬwhat if it is not availableтАЭ
Their suggestion is that we run in parallel a set of local configured users and a set of LDAP configured users and both methods can coexist without conflicts.
I think it is a very bad idea but I cannot think of any good justification why it should be the case.
Besides the obvious that it is going to be very hard to maintain two separate methods for user management on multiple servers (about 20) and that it can create confusion when creating new users or disabling users.
I will appreciate any argument either way.
Thanks,
A.K
0 Kudos
Reply
6 REPLIES 6
Ciro Iriarte
Valued Contributor

тАО01-14-2009 09:29 AM

тАО01-14-2009 09:29 AM

Re: user management - LDAP and local files

Well, it's a bad idea... What about keeping track of password changes?, passwords won't be synchronized between LDAP and /etc/shadow.

You can setup a second LDAP server (with synchronization) for High Availavility.

Other approach would be to create all the generic accounts locally (the ones used to run applications) which are often the more cricital and leave all the regular/real users on LDAP.
0 Kudos
Reply
A.K.
Frequent Advisor

тАО01-14-2009 09:41 AM

тАО01-14-2009 09:41 AM

Re: user management - LDAP and local files

Just to clarify,
We have a cluster for the LDAP server and we have high availability.
Also, generic users that are required by the application or the database will stay on the local files.
I am talking about having some individual users managed locally in /etc/shadow and some using the LDAP server ├в no synchronization between the two.
I know it sounds a horrible idea but I need to come up with some strong arguments to convince my ├в old fashioned├в management.
thanks,
A.K
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО01-14-2009 10:21 AM

тАО01-14-2009 10:21 AM

Re: user management - LDAP and local files

├В┬┐Don't they ever used Active Directory for the Microsoft Network?

The user account centralization, and UID/GID consistency are the major benefits of a Directory Server.

You can also add centralized security policies using LDAP server, like LDAP SUDO rules.

If you will have different local and ldap accouns, besides the administrative complexity there is no other problem.

Another argument is that without the use of LDAP, your users must follow the account policy rules on each server, having to change their information on all servers if required.

>>> ├в what if it is not available├в

You must desmostrate the high availability of the service. You can also say that the name service cache daemon can help you in that case.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
IT Csar
Occasional Advisor

тАО01-14-2009 04:59 PM

тАО01-14-2009 04:59 PM

Re: user management - LDAP and local files

you can setup replication between LDAP master and slaves, and have more than one LDAP for domain/s

file://localhost/home/obrodkin/.mozilla/firefox/opirgk71.default/ScrapBook/data/20081031170459/index.html#listing18
0 Kudos
Reply
skt_skt
Honored Contributor

тАО01-18-2009 06:48 AM

тАО01-18-2009 06:48 AM

Re: user management - LDAP and local files

I would aslo recommed second LDAP server (mandatory as otherwise there would be a SPOF)and having local users for applications like oracle,applmgre and any other service account.
0 Kudos
Reply
Fredrik.eriksson
Valued Contributor

тАО01-19-2009 06:48 AM

тАО01-19-2009 06:48 AM

Re: user management - LDAP and local files

Wouldn't it be a good idea to use offline authentication for ldap if your users are worried about your ldap auth source being down?

Google has alot of info on this subject. I've never done it manually, SuSE supports this via installer.

Best Regards
Fredrik Eriksson
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.