On Mon, May 28, 2007 at 08:38:02AM -0300, Martin Marques wrote: > I was looking at openldap to change my old lan that is working with NIS and > NFS to have an LDAP with some secure authentication system. All thin on > CentOS. > > Should I look at Directory server? Directory Server has a very powerful access control mechanism[19, and supports multi-master replication. However, openldap has a more intelligent schema parser. Directory Server's schema are strict ldif, and you'll need to convert most schemas to its format (samba's, bind's, etc.). It's not hard, and there are some scripts that help with that[2]. > I see it has a graphical interface to configure, which is pretty good > (haven't seen anything like that in LDAP). Fedora Directory Server 1.0.x include the graphical admin console, the new 1.1.x, following FHS and using system's packages (like dbx, nss, nspr) didn't last time I checked. But it's a work in progress, so that might have changed in the mean time. But I haven't used the graphical console, so I can't comment about that. I'm using FDS for replicated dns, users and dhcp servers, and also for an internal Xen control script that uses ldap. If you want to store only user information, without replication, then openldap is good enough. [1] here are ACIs that I'm using, that allow a specific user to change all users passwords (including for samba), and another specific user to read them: # Users dn: ou=Users, dc=dc, dc=aeiou, dc=pt ou: Users objectClass: top objectClass: organizationalUnit aci: (target="ldap:///uid=*,ou=Users,dc=sample,dc=com")(targetattr=*) (version 3.0;acl "user manager"; allow (read,write,add,delete,search,compare) userdn="ldap:///uid=uman,ou=Users,dc=sample,dc=com";) aci: (targetattr="sambaLMPassword || sambaNTPassword")(version 3.0;acl "vpn info access"; allow (read,search,compare) userdn="ldap:///uid=radius, ou=Users,dc=sample,dc=com"; deny (read,search,compare) (userdn!="ldap:///uid=radius,ou=Users,dc=sample,dc=com" and userdn!="ldap:///uid=uman,ou=Users,dc=sample,dc=com");) [2] http://directory.fedoraproject.org/download/ol-schema-migrate.pl -- lfr 0/0 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20070528/ccf7d19d/attachment-0005.sig>