FC2 and general LDAP Support

Shahms E. King shahms at shahms.com
Thu Nov 27 18:08:07 UTC 2003


On Wed, 2003-11-26 at 18:12, Enrico Scholz wrote:
> roli at israel-jugendtag.ch (Roland Käser) writes:
> 
> > What about moving the user database to LDAP for the FC2 release?
> 
> LDAP is not LDAP. Depending on the environment, different schemes with
> different, perhaps mandatory attributes will be used. So you will need
> some pre-configuration before installing the real Fedora Core and the
> useradd tools must be configurable to support the used scheme with
> reasonable defaults. 'useradd' will have to deal with other attributes
> (address, jpegphoto) and used authentication method (e.g. krb5 allows
> special password attributes).
> 
> Implementing this is not trivial and would be too much overkill for normal
> usage of FC (a standalone desktop). The nss_ldap module is ... aeh .. a
> little bit unstable; using it with TLS and non-selfsigned certificates
> gives mysterious faults when CA chain is not known, and network-faults are
> giving authentication errors for local users (root).

Different schemas is one thing, but, um, there are actually standard
schemas defined (that come with OpenLDAP) for all of this.  You can
pretty much bet that if someone has users and groups in the LDAP server,
they're using posixAccount and posixGroup objectclasses to do it.  And
if they're using Samba 2.x with LDAP they're using sambaAccount (yes, I
promise you they are, they don't have a choice in the matter). The
useradd tools don't need to know anything about the schema beyond what
is already available in /etc/ldap.conf (which provides a simple system
of 'attribute maps'  to deal with slight variations in attribute names
between schemas that don't follow the "standard" -- NDS, AIX, and AD SFU
being the most egregious offenders).

Additionally, while I think it's ridiculous to put the user database in
LDAP where it isn't warranted (especially by default), if that were to
happen, schemas would not be an issue as there would only be one schema
used by the Fedora LDAP user information and you can be almost certain
the Fedora user management tools would understand that schema at the
very least.

There is a difference between stability and a poor default
configuration.  I have had problems with SSL/TLS as well (but, well, the
certs we use have issues, they're self-signed and expired, so having
problems is to be expected ;-P).  Network faults (well, *any* fault) can
cause auth errors for local users if pam is configured incorrectly,
otherwise network errors will not impact local users *at all* (well,
other than a possible delay when they enter their password). 
Unfortunately, the Fedora authconfig *slightly* misconfigures pam by
leaving out 'service_err=ignore' (I think, it's been a while since I've
had to fix this anywhere it might be 'system_err=ignore' that it doesn't
add.) But anyway, once it's correctly configured I've never had any
problems with stability.

-- 
--Shahms
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20031127/593e06b5/attachment.sig>


More information about the fedora-devel-list mailing list