[Infrastructures] user management (mixing afs,ldap,kerberos)

Steve Traugott stevegt@TerraLuna.Org
Thu, 10 Mar 2005 01:19:48 -0800 

--HlL+5n6rz5pIUxbD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

This is sort of a followup to another thread we just had, and to
something Joel and I wrote in the 1998 "bootstrapping" paper...  At that
time, "Coda looked promising".  I no longer think so, and haven't for a
long time, since the Coda maintainers haven't decided to make it a truly
production-quality filesystem.  So that leaves us with AFS, but since
OpenAFS arrived things have changed -- it's evolving finally, and has
already gotten rid of silly features like the 2G size limit.  That alone
was enough to convince me to have another go at it.

(To head off other questions -- Intermezzo didn't really make the grade,
and I'm not too sure Lustre is going to either.)

On Wed, Mar 09, 2005 at 11:06:43AM -0600, Sean Kelly wrote:
> On Wed, Mar 09, 2005 at 01:22:49PM +0100, Rudy Gevaert wrote:
> > A better option is AFS.  And I'm now trying to get that to work.  But
> > for AFS you need Kerberos.  And if I'm correct you still need
> > something like NIS or LDAP (let us use LDAP).  How can you now easily
> > manage Kerberos and LDAP?  For each LDAP user you need a Kerberos
> > principal, right?
>=20
> I am looking for reading material in this area, so if you have anything to
> suggest please let me know. I recently got a book titled:
>      Managing AFS by Richard Campbell

I highly recommend this book -- reading it right now. =20

> However, I'm in the market for a book that shows how to combine
> LDAP/NIS/Hesiod, Krb5, and AFS seamlessly.

I'm using krb5 and openldap.  I found what I needed to know by saying
something like "openafs kerberos ldap howto" to Google.  It turned out
to be not as painful as I thought.  You just need to script user
creation/deletion to keep the two synced -- but you're going to want to
script that anyway, since you're going to want to also manage home
directory volumes in that same script. =20

Another possibility might be the Heimdal Kerberos server, since it can
use LDAP as its backend, I think.  I forget what turned me away from
that though.

Steve
--=20
Stephen G. Traugott  (KG6HDQ)
UNIX/Linux Infrastructure Architect, TerraLuna LLC
stevegt@TerraLuna.Org=20
http://www.stevegt.com -- http://Infrastructures.Org

--HlL+5n6rz5pIUxbD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCMBE08rKIxO1Fc9MRAkakAJwM+Y4qgqFTG45zXEeaRAkWZKLMHACeIUWc
vUuwx6ZOPEJC5aEl7ksXhBY=
=8FER
-----END PGP SIGNATURE-----

--HlL+5n6rz5pIUxbD--