01-15-2009
user management - LDAP and local files
I am implementing LDAP on Linux based system using openldap.
My management objects to the idea that all individual users will authenticate against an LDAP server because “what if it is not available”
Their suggestion is that we run in parallel a set of local configured users and a set of LDAP configured users and both methods can coexist without conflicts.
I think it is a very bad idea but I cannot think of any good justification why it should be the case.
Besides the obvious that it is going to be very hard to maintain two separate methods for user management on multiple servers (about 20) and that it can create confusion when creating new users or disabling users.
Just to clarify, we have a cluster for the LDAP server and we have high availability.
Also, generic users that are required by the application or the database will stay on the local files.
I am talking about having some individual users managed locally in /etc/shadow and some using the LDAP server no synchronization between the two.
I know it sounds a horrible idea but I need to come up with some strong arguments to convince my “old fashioned” management.
I will appreciate any argument either way.
thanks
10 More Discussions You Might Find Interesting
1. Linux
Hi All,
If ldap user is disabled on linux. Do you think ldap processes will still run while ldap user had been disabled?
Thanks for any comment you may add. (2 Replies)
Discussion started by: itik
2 Replies
2. UNIX for Advanced & Expert Users
Besides doing some shell-script which loops through /etc/passwd, I was wondering if there was some command that would tell me, like an enhanced version of getent.
The Operating system is Solaris 10 (recent-ish revision) using Sun DS for LDAP. (5 Replies)
Discussion started by: ckmehta
5 Replies
3. AIX
Hi Friends,
I have this script for ftping files from AIX server to local windows xp.
#!/bin/sh
HOST='localsystem.net'
USER='myid_onlocal'
PASSWD='mypwd_onlocal'
FILE='file.txt' ##This is a file on server(AIX)
ftp -n $HOST <<END_SCRIPT
quote USER $USER
quote PASS $PASSWD
put $FILE... (1 Reply)
Discussion started by: rajsharma
1 Replies
4. AIX
If I create a new user id test:
mkuser id=400 test
then I want it to LDAP user:
chuser -R LDAP SYSTEM=LDAP registry=LDAP test
It shows:
3004-687 User "test" does not exist.
How to do? (4 Replies)
Discussion started by: rainbow_bean
4 Replies
5. Shell Programming and Scripting
Hi Gurus,
I have a script that requires me to switch from local user to root. Anyone who has an idea on this since when i switch user to root it requires me to input root password.
It seems that i need to use expect module here, but i don't know how to create the object for this.
... (1 Reply)
Discussion started by: linuxgeek
1 Replies
6. Shell Programming and Scripting
good evening .. I have a plea, who I can help me with a management application user rights on the files in a Unix / Linux
I need for college .. .. and not told us no clue .. thank you (1 Reply)
Discussion started by: alex90
1 Replies
7. AIX
Hello,
I'm currently trying to mix local and LDAP users on an AIX 7.1.
I've triied many things.
My LDAP Server in on a CentOS - OpenLDAP (which works fine with linux).
I'm currently stuck on AIX at how to declare LDAP AND Local users.
Here's what i did :
/usr/sbin/mksecldap -c -h 'ldap03'... (15 Replies)
Discussion started by: AIX_user_324891
15 Replies
8. Shell Programming and Scripting
Hi,
I need to switch from local user to root user in a shell script.
I need to make it automated so that it doesn't prompt for the root password.
I heard the su command will do that work but it prompt for the password.
and also can someone tell me whether su command spawns a new shell or... (1 Reply)
Discussion started by: Little
1 Replies
9. UNIX for Advanced & Expert Users
Has anyone attempted to define GPO / HBAC policies in Windows Server 2012 that could be respected by Kerberos/LDAP on AIX?
I'm looking to associate servers to groups so that when a user part of a group tries to login to a host not associated with that group, it would be denied. This would allow... (3 Replies)
Discussion started by: Devyn
3 Replies
10. UNIX for Advanced & Expert Users
Hello,
i configured rhel linux 6 with AD directory to authorize windows users to connect on the system and it works.
i have accounts with high privileges (oracle for example) if an account is created on the AD server i would to block him.
I looked for how to do, for the moment all the... (3 Replies)
Discussion started by: vincenzo
3 Replies
LEARN ABOUT OPENDARWIN
ldap_abandon
LDAP_ABANDON(3) Library Functions Manual LDAP_ABANDON(3)
NAME
ldap_abandon, ldap_abandon_ext - Abandon an LDAP operation in progress
LIBRARY
OpenLDAP LDAP (libldap, -lldap)
SYNOPSIS
#include <ldap.h>
int ldap_abandon(LDAP *ld, int msgid);
int ldap_abandon_ext(LDAP *ld, int msgid,
LDAPControl *sctrls[], LDAPControl *cctrls[]);
DESCRIPTION
The ldap_abandon() routine is used to abandon or cancel an LDAP operation in progress. The msgid passed should be the message id of an
outstanding LDAP operation, as returned by ldap_search(3), ldap_modify(3), etc.
ldap_abandon() checks to see if the result of the operation has already come in. If it has, it deletes it from the queue of pending mes-
sages. If not, it sends an LDAP abandon operation to the the LDAP server.
The caller can expect that the result of an abandoned operation will not be returned from a future call to ldap_result(3).
ldap_abandon_ext() is equivalent to ldap_abandon() except that it allows server and client controls to be passed in sctrls and cctrls,
respectively.
ERRORS
ldap_abandon() returns 0 if everything goes ok, -1 otherwise, setting ld_errno with an appropriate LDAP error code.
ldap_abandon_ext() directly returns an LDAP error code indicating success or failure of the operation.
See ldap_error(3) for details.
SEE ALSO
ldap(3), ldap_result(3), ldap_error(3)
ACKNOWLEDGEMENTS
OpenLDAP is developed and maintained by The OpenLDAP Project (http://www.openldap.org/). OpenLDAP is derived from University of Michigan
LDAP 3.3 Release.
OpenLDAP 2.1.X RELEASEDATE LDAP_ABANDON(3)