converting to LDAP
At work, I'm responsible for maintaining an ever increasing number of Linux systems that developers use for their work. I inherited two of them, and have added/built the others. Unfortunately, the mechanism for user/authentication management thus far has been /etc/passwd copied between the systems (thankfully I built an NFS server for /home several months ago). Needless to say, manually creating accounts on multiple systems is a huge PITA, and on top of that, the developers are always getting the passwords between the systems confused. Finally, I had enough, and decided to centralize the accounts using LDAP. Getting it all setup took about 1 day of work (I did a test/dry run first to work the kinks in the process). This guide provided me with about 90% of what I needed to know to convert everything over and get up & running.
A few of the things that I learned in the process were:
* /lib/security/pam_mkhomedir.so : this is an awesome PAM module which automatically creates a \$HOME for any user who doesn't have one when they login for the first time on a system. All I needed to do was add the appropriate entry to /etc/pam.d/sshd, restart sshd, and it was done
* Turns out that crond needed to be restarted to become aware of the LDAP accounts. I learned this the hard way when a developer pointed out this morning that none of his cronjobs ran overnight (they just didn't run at all).
* For LDAP management, I ended up going with a decent tool called Luma. Ideally, I wanted a CLI tool that would make it easy to add/modify/delete accounts, but everything that I found was crappy, undocumented, or unmaintaned. I also needed something that would autodetect the next unused UID (surprisingly, most tools don't do this, which kinda boggles my mind).