SUMMARY: Hybrid user authentication?

From: Sal Serafino <>
Date: Thu Jun 12 2003 - 11:27:17 EDT
Hi Gurus-

Many thanks to Pete Bentley, Karl Vogel, Bertand Hutin, and Karen van der Ploeg 
for their comments.  Karen gets extra credit for guessing the software vendor in 
addition to providing a solution.

The general consensus is to dump the ldap password table and parse it into both 
/etc/passwd and /etc/shadow on a regular basis.  These files could then be 
rsync'd to provide synchronization of passwords across all the servers.  A PC 
tech I know suggested using the /etc/passwd and /etc/shadow files of one 
particular server to push the data nightly to the LDAP server and the other 
boxes.  There's proof that something works "backwards" ;)

Many thanks to all,

Original Posting:    
    Date: Wed, 11 Jun 2003 13:30:39 -0400 (EDT)

    Hi Gurus-

    I'm sorry this is lengthy, but I have to give you details.

    The History:  We have an intense application with multiple data areas and
    environments that has rapidly expanded and now includes three portals and
    four servers.  Each portal uses the same LDAP service for ACLs via
    user/passwd authentication at the web server level, and then connects to any
    of the four hosts based on the requested URL.  An intermediate connector on
    the application servers map the LDAP user to a UNIX user with consistency.
    Outside of some UNIX username/uid mismatches from one machine to the other,
    it all seems straight forward.  We are using NIS+ -- a migration to LDAP is
    in the works.  The problem is not about setting up or using LDAP and/or NIS+
    at the Solaris level.

    The Problem:  The application handles security using internals that read
    /etc/passwd rather than call getpwnam() or equivalent.  The software vendor
    currently does not support any type of centralized naming service.  There
    are "rumors" that the next release "may" include such support, but it will
    not be available for at least a year or more.  If I went NIS+ or LDAP on
    these servers to synchronize UNIX accounts, /etc/passwd would not contain
    user names, and the application could not do security checks.  There is no
    method I know of for synchronizing users between these four hosts and the
    directory server.  This has become a huge monster in only the last month and
    a half.

    Does anyone have any ideas on how to get /etc/passwd populated and
    synchronize /etc/shadow with LDAP?  I will do LDAP to NIS+ to YP hacks if
sunmanagers mailing list
Received on Thu Jun 12 11:30:18 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:14 EST