Does anyone use LDAP? 1

[Kegnut]

Hello,

I am currently running NIS on a small network. I am not too happy with NIS and I heard that LDAP is a replacement and better in a lot of ways. Has anyone configured LDAP on their servers? Had any problems? Where is a good place to go to find out exactly how people are configuring it?

Thanks in advance for any help,
Josh

 

[grepme]

Our company of 84000 users worldwide uses it heavily.

 

[tdatgod]

Hi,
This is a Solaris forum. We use LDAP on Windows but not on Solaris because the LDAP server is built into the Windows 2000 domain server.

How hard is it configure LDAP on Solaris?

 

[cfsalmeida]

in Solaris 2.6, Solaris 8 you can use up to 200.000 entries the iPlanet Directory Server 4.16 free of charge, this license agreement is only for iDS on Solaris OS, or you can use Openldap, but you will have major advantages if you use iDS in Solaris, instead of Openldap or Windows 2000 Active Directory, note that objects necessary to support a Solaris user such as NIS/NIS+ tables are not counted towards the 200,000 entries limit, also in Solaris 9 you will have the same license type, by extended to iDS 5.1, you can check a doc for differences of Active Directory Vs iDS in:

http://iplanet.com/products/iplanet_directory/wp_active_directory.html

Regards,

Carlos Almeida

 

[Kegnut]

Thanks for all the input.

I guess my real question is, does solaris still use files like nsswitch.conf? If so, how is that involved? I'm really stoked about the LDAP concept, but I can't find many resources that use it the way I want (to replace NIS). So i apologize for my ignorance. And thanks in advance for any more input.

Josh

 

[yowza]

Kegnut,

Yes the nsswitch.conf is still used. Basically, the nsswitch.conf file defines the order and where to look to authenticate users/services. For example, it contains an entry named hosts. In the following example:
hosts files dns nis
If a user was to telnet to another system using "hostname", the system would first look in files (/etc/hosts), if not found it would then look in the dns etc. If the IP addrs/hostname could not be found in any of those, the connection would not be made.
Similarly, there is a passwd file. An entry like:
passwd files nis
has the system look in the local /etc/passwd file first for the userid/passwd. If not found it goes to nis. If not in nis, the user does not get logged in. This allows for local users to have separate accounts and not use nis.
This is a real simple explanation. There is another entry that you will see "not found = return" (or something like that. I don't have access to unix box right now.) that you have to watch for. If you had passwd files Not_found=return nis, then if the userid was not found on the local system, nis would never be checked.
This is a quick and dirty explanation but you should get a rough idea of how nsswitch works. Stick with NIS, LDAP is a different animal.

Hope this helps,
yowza

 

[Kegnut]

RIght...thanks for the information, but I already knew how nsswitch.conf works. Maybe I worded it wrong, but my question was does LDAP tie into the nsswitch.conf file. Or is the /etc directory the one that is "shared" by LDAP?

THanks again!
Josh

 

[cfsalmeida]

Yes, the keyword "ldap" also goes to nsswitch.conf file, like, i.e:

...
hosts: files dns ldap
...

Regards,

Carlos Almeida,

 

[Kegnut]

Thanks Carlos,

Is there any format as far as where to install or location of ldap files (i.e. slapd.conf, etc.)?

 

[cfsalmeida]

It will depend if you use the iplanet iDS Server, or a freeware LDAP Server like Openldap, then depends what you want, you can use LDAP in 3 ways as a "native Solaris LDAP implementation", in general the goal of this implementation is to store in LDAP all the information formerly stored in NIS maps and/or NIS+ tables and enable Solaris clients to access that information througn LDAP rather than the NIS protocol, then use LDAP for pam,login,ssh,etc authentication, or you can use LDAP only to store/mantain the NIS/NIS+ maps and use NIS as authentication, or use LDAP only to serve local applications, so to answer you question... depends, but i.e: for native LDAP and for store NIS maps, requires different schemas and configurations.

Hope it helps,

Carlos Almeida,

 

[Kegnut]

Thanks a lot Carlos!

That is what I was trying to get at. In your opinion though, which is better? Iplanet or Openldap?

Josh

 

[cfsalmeida]

It's hard to say ...,when comparing iDS 4.16 (the one you can use free now) with openldap 2.x, openldap have some advantages, iDS 4.16 don't support TLS-encryption (only SASL), some client utilities from openldap are better, and schema handling and syntax checks in iDS 4.16 somethimes is a nightmare (you need to know the tricks) ...,but when it comes to performance iDS 4.16 is the winner, and support more standards and integrations than openldap at the moment, in iDS you will have a Java GUI, console, and web admin utilities also the latter versions like 4.16 and 5.1 have tendency to be less buggy than openldap, iDS users will have SUN support and openldap users open community help, with iDS 5.1 things are a little different 5.1 schema formats and syntax check are finnaly a good thing !, benchmark results are better, even than 4.16, and supports TLS-encryption, the Java console is more robust and less buggy, but iDS 5.1 for now is not free (this will change in Solaris 9), if your bet is a LDAP implementation chose carefully, but it's a hard one I know !

Hope it helps,

Carlos Almeida,