[OpenAFS] LDAP-AFS interaction (best practice?)
Stephen Joyce
stephen@physics.unc.edu
Sun, 19 Apr 2009 22:34:52 -0400 (EDT)
My department is rather small (under 500 users), and until now we've gotten
by without a real directory service. We currently use cfengine and custom
scripts to manage /etc/passwd by sourcing a central file and checking AFS
PTS group memberships to build the local file hourly.
For a number of reasons (among them better/easier MacOS and mobile Linux
client support), I've been planning an LDAP (openldap) directory service.
I've been reading _LDAP System Administration_ (O'Reilly) and _Distributed
Services with Openafs_ (Springer), which I won't review here. :-) If there
are other recommended "must reads", please let me know.
I've noticed that the OpenAFS roadmap,
<http://www.openafs.org/roadmap.html> has a section of LDAP integration,
and it mentions a couple of past projects, but has no definite advice.
What's the current best practice for using LDAP in an OpenAFS environment?
I primarily want to leverage LDAP for directory info for managed
workstations, for our web directory, ane either continue using AFS PTS
groups o(r LDAP groups) for workstation authorization for restricted-access
workstations.
Does anyone have advice for things to look out for as I proceed? I want to
avoid shooting myself in the foot, if possible--especially respecting any
LDAP/PTS interaction in future versions of OpenAFS.
Cheers, Stephen