We are planning new infrastructure of dozen servers, so I wanted to know is there a way to authenticate and authorize against Novell eDirectory? It would be much easier to have all users, their passwords and permissions in eDirectory and not to create all of this on each box. I saw this document - LUM - but other than that haven’t found other info. Is it even possible to set it up that way, and are there any documents regarding LUM?
On Thu, 09 Feb 2012 18:26:08 +0000, MkWeber wrote:
> We are planning new infrastructure of dozen servers, so I wanted to know
> is there a way to authenticate and authorize against Novell eDirectory?
Yes, and you don’t need to use LUM if you’re using Linux (LUM provides
integration of eDirectory user IDs with the traditional /etc/passwd user
IDs).
You can just install the RFC2307 schema extensions in eDirectory and
configure an LDAP authentication source if you don’t care about accessing
filesystems (for example) on the eDirectory server (ie, if you just want
desktop authentication).
Excuse me for being silly, directories/domains are not my forte. After users are authenticated against eDirectory what UID/GID they get, and from where? Also, what happens with home directory and who’s the owner of processes they run on box?
On Thu, 09 Feb 2012 21:56:02 +0000, MkWeber wrote:
> Excuse me for being silly, directories/domains are not my forte. After
> users are authenticated against eDirectory what UID/GID they get, and
> from where?
The RFC2307 schema extensions take care of extending the eDirectory
schema so those attributes are present. You’ll need to assign those when
creating the user. (LUM takes care of that automatically IIRC, which
would be an advantage to using them).
> Also, what happens with home directory and who’s the owner
> of processes they run on box?
UID/GID are mapped back and used for this - so the user “exists” on the
client box with those values, it’s just a question of where the data is
sourced from. When using LDAP for authentication, that comes from the
LDAP data source rather than the /etc/passwd file.
Thanks a lot. I have some ideas how to do it now. Still not sure organisation will allow changes (extensions) on LDAP, but if they had some unix’ boxes, maybe it is already in place.
On Thu, 09 Feb 2012 22:46:02 +0000, MkWeber wrote:
> Thanks a lot. I have some ideas how to do it now. Still not sure
> organisation will allow changes (extensions) on LDAP, but if they had
> some unix’ boxes, maybe it is already in place.
It’s possible they are, but yes, you’d need to be an administrator of the
[Root] of the eDirectory tree in order to extend the schema, and it did
occur to me after the fact that if you’re not that familiar with
directories, you probably don’t have those rights.
Your admin probably will know what to do on the Linux side as well, there
are some Novell TIDs on how to set this up from that side as well.