LDAP for Unix

An item on our project list for some time is to see if we can convert our Solaris logins (titan) to use our eDir information. Through the use of PAM modules, this is quite doable. The trick would be to map current usage to new usage, which would require somehow transferring the UID/GID info from the existing NIS database into eDir. Among other things.

It looks like that anyone with Update access to the "uidNumber" attribute can set it to an arbitrary integer. Such as, oh, zero. As you can well imagine such awesome power needs to be used wisely. I can tell that this information will likely scuttle the project, since the Solaris admins and the Novell/MS admins are different folks who each guard their respective administrative interfaces zealously. The ability of the Novell/MS admins gaining Root to the Solaris boxes at the flick of a checkbox will not be met gladly.

On the other hand, when we start setting up OES-Linux boxes managed by the Novell/MS guys having such information will be peachy. In fact, it'll be nifty. With a bit of work we can use eDir groups to manage access on these OES-Linux application servers. The functionality on Titan will stay there, the folks that'd end up working on OES-Linux are most probably developers working on databases and web-servers. Regular old end-users wouldn't get involved in this.

So while the original intent of the project probably won't happen, there is some good that'll come out of it anyways.