[OpenAFS] Home directory in AFS

[Charles Clancy]

> I was referring generally. As it is now, my SLAPd (LDAP server) needs
> ONE key tab, the PostgreSQL server ONE, and when (if) I start using
> Cyrus IMAP/POP daemon, they need ONE.

When you say "keytab" what keys are you infering they contain?  Just host
principals of those machines?  If you mean to imply you're keeping the key
to an AFS admin user in those files, then I'd be a bit suspicious.  None
of those services should require AFS admin access.

> Todd> That's what we do; all our users are created through a web
> Todd> based front end.
>
> It have to be a specialised web tool. It have been agreed on on the
> OpenLDAP list, that it will probably never be a 'general LDAP web admin
> tool', since all (LDAP) databases differ so much, and it seems no one
> have bothered to write one that's general enough. They all assume
> that the DB looks a certain way...

Many people have created web interfaces sepecificly for managing user
accounts in their environment.  I know I have in the past.  These
interfaces have knowledge of all the different components surround a
user's account, and has access to update them all.  For example, I assume
you have a template LDIF you use when creating new users.  It could just
fill in the blanks, do an "ldapadd", do a "kadmin -q addprinc...", do the
"pts createu", and the various vos commands to create the home directory.

By no means am I suggesting a generic web-admin interface would be
appropriate.

> WHEN (if?) OpenLDAP have the possibility to store MIT KerberosV auth
> secrets, then I might go back...

The thought of LDAP-based pts data frightens people.  I wouldn't suggest
too loudly that they move Kerberos data there too.  It's not a feature you
should expect any time soon. :)

> I created all the user volumes yesterday. I ended up with 63 volumes!

That's nothing!  All this over 63 volumes?  You're not even wasting 300K
of drive space.

> Now, THAT is a good idea. Do the dump to a file, and then back that
> up with AFBackup... At least if I can't get my regular backup system
> and the AFS backup system to work together (on the same physical tape).

Many people do it this way.  It all depends on your environment.  Places
where pretty much all their data lives in AFS just use afsbackup.  Others
with most of their data not in AFS do the "vos dump" method.

> The thing is/was. I didn't HAVE a user add script! I didn't NEED one.

Well, with AFS you definitely need one.  There's so many different things
associated with a user, trying to manage things without scripts to add and
remove users is painful.  There's a (depricated) tool called "uss" that
was designed to manage accounts in AFS.  I stopped using it over 4 years
ago.  I don't think anyone else out there is really using it either.  It
certainly doesn't support K5.

The impression I get is that your lofty goal is to be able to do all user
management from this LDAPExplorer.  I can certainly appricate the
simplicity of this; however, if you plan to use AFS, you souldn't expect
such compatability unless you put in a lot of development hours rewriting
major portions of the way AFS works.

Also... about half the responses I've sent bounce back and sit in my
sendmail queue for a while before they can be delivered.  Is
papadoc.bayour.com's mail server frequently offline?

[  t charles clancy  ]-[  tclancy@uiuc.edu  ]-[  uiuc.edu/~tclancy  ]
[  crypto  ][  coordinated science lab  ][  university of illinois  ]