1

For a few years, we used OpenLDAP, but nothing really depended on it. We could have integrated it better with Kerberos and done a few interesting things with it, but its worth proved marginal and the volunteer interested in it moved onto other things. We currently don't have GECOS info available for AFS users in a form that UNIX services can use; for that reason alone we might want to use LDAP in the future.

For history:

We use LDAP as a members information directory to be looked up by hand, no services consult it.

For serving user metadata, we use libnss-afs which pulls that information from AFS PTS database. However, the PTS is not really intended for this, so it doesn't provide space for user's supplementary Unix groups, GECOS fields etc.

So we keep this information (real names, primarily, but UID/GID etc. as well) in LDAP, although only members' real name is ever looked up there. The "finger" command has been hacked slightly to obtain all info from AFS PTS, then query LDAP for real name, and then display results in an integrated "finger" output.

So, we could say that LDAP is only marginally used in our setup, but I expect we will rely on it more as our infrastructure expands and HCoop service grows in richness.


CategorySystemAdministration