Friday, January 28, 2011

Alternatives to native LDAP

We've implemented an LDAP to NIS solution and have begun transitioning some systems to native LDAP binding for authentication and automount maps. Unfortunately we have a very mixed environment with more than 20 *nix environments. The setup for each variant is of course unique and has required various workarounds to get full functionality. We're now at the point where we're willing to revisit the solution and possibly migrate toward something like Likewise (http://www.likewise.org), but would like to know what others are using to solve this problem.

From serverfault Matt

  • We have "solved" the problem by standardizing on RHEL/CentOS. That solves a boatload of other portability problems as well.

    As for LDAP, we use it too, but the interface between ldap and NSS is far from perfect (same goes for any other network service). If I had the time, I'd look into deploying nsscache instead of nss_ldap. Or maybe even replace pam_ldap and nss_ldap with winbind, to better integrate with our windows environment (likewise is a variant of winbind, no?).

    Matt : I'm jealous, I wish we could solve the problem in that way.
    From janneb

  • I used to have 40ish Linux servers, all with local authentication. Life was hell.

    I finally solved the problem by building an Active Direcotry infrastructure and implementing Likewise Open to authenticate all of my machines (plus samba, ftp, jabber, and half a dozen web apps).

    Now I've got 80-100 servers all using the same authentication and my users love it (but not nearly as much as I do).

    I have never once regretted using Likewise. I talked about it so much on my blog that they sent me a T-shirt!

    Matt : How is the performance? Have you had any experience with the non-Linux variants? We've got 5,000+ hosts globally and LDAP performance has been lacking.
    Matt Simmons : Our performance has been very good. The only minor quibble that I have is that I find myself occasionally clearing the cache after a user's information changes in the directory. It sounds like your infrastructure is a little more advanced than mine ;-)
    From Matt Simmons

  • many companies are using Likewise and it is working very well. We had around 20 Servers using native users and we moved to Likewise and life is a lot simpler.

    From $pageUsers[$post.author].name

  • @Avery,

    This is essentially what Likewise Open does. It makes use of Kerberos (via PAM) to authenticate the user. It also provides NSSWITCH modules to perform SID->ID mapping (using various algorithms, some LDAP based, some hash based).

    It has several advantages over plain old pam_krb5:

    • Support for AD "sites" including smart DC failover to the nearest DC
    • Support for offline authentication (if the network is down or you're on a disconnected laptop)
    • Automatic configuration of PAM and krb5.conf

    Cheers,

    Manny Vellon CTO, Likewise

    From $pageUsers[$post.author].name
Posted by Mu Cat at 5:14 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)