Since I'm the "nobody knows what he does" guy...
I figured I'd share with my many, many dedicated readers one of the little projects I'm working on..
I'm a Unix administrator in charge of several geographically distant sites. Each site has it's own Unix box, along with a whole slew of Windoze boxen doing Windows things. (I don't know, I don't do the Windows stuff.) As it stands now, we're using flat files (i.e. passwd and shadow) for authentication, which is fine if each site's users need only login that site. Problem is, each site's users have to login to the each other site's server. And THAT means creating logins on each server, which is a pain in the ass, even after automating it as much as possible.
After reviewing all the possible options, and disregarding all of my suggestions, we've decided on using openLDAP. (No, I'm actually not annoyed by that, it's just a decision the team made, so here we go...) After setting up a main LDAP server, and setting up a client on a test box, it worked fine, including failover. Each 'client' is actually a slave server, receiving updates from the master server. So when the master server goes down for any reason, i.e. network connectivity loss, each Unix server can continue to authenticate via itself.
After setting up an actual production client and propogating the master LDAP server with real accounts, we scheduled a time with the remote site to do some off-hours testing. The idea was to have some people login with the LDAP setup, then take down the master server, and try the test again. It should've Just Worked(TM). So, of course, it didn't.
No idea why. *I* could login, and my account existed in flat files and in the LDAP directory. A test account which existed only in the LDAP directory could login. Nobody else could. Turned on some debugging options and tried again, so, at least I got a whole pile of detailed log files. Since it was getting close to production time, I had to back out of everything so the staff could login normally.
So now on Monday, I look forward to sifting through debug-level logfiles, comparing patch levels on both servers (a stupid-ass oversight on my part), comparing configuration files, yadda yadda.
I know, it's very exciting and glamourous.
I'm a Unix administrator in charge of several geographically distant sites. Each site has it's own Unix box, along with a whole slew of Windoze boxen doing Windows things. (I don't know, I don't do the Windows stuff.) As it stands now, we're using flat files (i.e. passwd and shadow) for authentication, which is fine if each site's users need only login that site. Problem is, each site's users have to login to the each other site's server. And THAT means creating logins on each server, which is a pain in the ass, even after automating it as much as possible.
After reviewing all the possible options, and disregarding all of my suggestions, we've decided on using openLDAP. (No, I'm actually not annoyed by that, it's just a decision the team made, so here we go...) After setting up a main LDAP server, and setting up a client on a test box, it worked fine, including failover. Each 'client' is actually a slave server, receiving updates from the master server. So when the master server goes down for any reason, i.e. network connectivity loss, each Unix server can continue to authenticate via itself.
After setting up an actual production client and propogating the master LDAP server with real accounts, we scheduled a time with the remote site to do some off-hours testing. The idea was to have some people login with the LDAP setup, then take down the master server, and try the test again. It should've Just Worked(TM). So, of course, it didn't.
No idea why. *I* could login, and my account existed in flat files and in the LDAP directory. A test account which existed only in the LDAP directory could login. Nobody else could. Turned on some debugging options and tried again, so, at least I got a whole pile of detailed log files. Since it was getting close to production time, I had to back out of everything so the staff could login normally.
So now on Monday, I look forward to sifting through debug-level logfiles, comparing patch levels on both servers (a stupid-ass oversight on my part), comparing configuration files, yadda yadda.
I know, it's very exciting and glamourous.