Hi Gurus- Many thanks to Pete Bentley, Karl Vogel, Bertand Hutin, and Karen van der Ploeg for their comments. Karen gets extra credit for guessing the software vendor in addition to providing a solution. The general consensus is to dump the ldap password table and parse it into both /etc/passwd and /etc/shadow on a regular basis. These files could then be rsync'd to provide synchronization of passwords across all the servers. A PC tech I know suggested using the /etc/passwd and /etc/shadow files of one particular server to push the data nightly to the LDAP server and the other boxes. There's proof that something works "backwards" ;) Many thanks to all, -Sal Original Posting: --------------------------------------------------------------------------- Date: Wed, 11 Jun 2003 13:30:39 -0400 (EDT) Hi Gurus- I'm sorry this is lengthy, but I have to give you details. The History: We have an intense application with multiple data areas and environments that has rapidly expanded and now includes three portals and four servers. Each portal uses the same LDAP service for ACLs via user/passwd authentication at the web server level, and then connects to any of the four hosts based on the requested URL. An intermediate connector on the application servers map the LDAP user to a UNIX user with consistency. Outside of some UNIX username/uid mismatches from one machine to the other, it all seems straight forward. We are using NIS+ -- a migration to LDAP is in the works. The problem is not about setting up or using LDAP and/or NIS+ at the Solaris level. The Problem: The application handles security using internals that read /etc/passwd rather than call getpwnam() or equivalent. The software vendor currently does not support any type of centralized naming service. There are "rumors" that the next release "may" include such support, but it will not be available for at least a year or more. If I went NIS+ or LDAP on these servers to synchronize UNIX accounts, /etc/passwd would not contain user names, and the application could not do security checks. There is no method I know of for synchronizing users between these four hosts and the directory server. This has become a huge monster in only the last month and a half. Does anyone have any ideas on how to get /etc/passwd populated and synchronize /etc/shadow with LDAP? I will do LDAP to NIS+ to YP hacks if necessary. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu Jun 12 11:30:18 2003
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:14 EST