On Sat, 2011-12-10 at 16:20 +0000, mike cloaked wrote: > On Sat, Dec 10, 2011 at 3:37 PM, Genes MailLists <lists@xxxxxxxxxxxx> wrote: > > On 12/10/2011 10:29 AM, johnc0102@xxxxxxxxxxx wrote: > >> I maintain a server with a number of users, and just recently upgraded to > >> > >> Fedora 16 from Fedora 11. I did a clean install so all of the users now > >> have > >> > >> to reset their passwords. The question I have is: what is the preferred > >> method > >> > >> of managing user passwords so that their passwords will carry over to > >> the new > >> > >> installation? Should I set up a NIS server on the machine? Would that > >> maintain > >> > >> the passwords across the upgrades? > >> > > > > You could - or you could use LDAP (preferred but more complicated) or > > the simplest is you could keep the user parts of > > > > /etc/password > > shadow > > group > > gshadow > > > > and edit them back into the fresh install files. > > I guess if there are only a few machines involved with the same small > set of users then copying back the relevant sections of the files > mentioned is relatively painless - but if the user base grows and > there are many more machines it would become desirable to move to a > central user auth system - like LDAP - in the past I have tried to > look through the documentation with a view to implementing an LDAP > scheme - such as 389 Directory Server - but I found that documentation > was (for me) rather difficult to digest to a stage where I could > easily get started - I wonder if anyone knows a good source of online > advice to offer a "starter" guide to implementing 389? Would be really > useful. ---- there is no open source magic bullet for LDAP primarily because there is no one way since LDAP is quite a pliable system. On the other hand, if you adopt Microsoft Active Directory the LDAP setup is hard wired. Essentially 389 server (formerly known as Fedora Directory Server) is pre-wired and if you just run with it, you will get a setup with a prescribed structure for users and groups which is fine and reasonably easy to use with their java based console. The problem is not really just LDAP though - because you can get going relatively easily with the 389 server but then you have to figure out how to wire in things like user authentication and eventually it becomes evident that LDAP wasn't really designed to do authentication but rather there are other elements of the OS that can obtain user/group authentication bits from LDAP but must be configured separately and are not at all part of LDAP. Personally, I use OpenLDAP but did use Fedora Directory Server in the past and found it eminently usable and in some ways, perhaps easier than OpenLDAP but I'm more into the freedom and feature set of OpenLDAP. At some point though, I may just switch because FreeIPA is getting very close to becoming really useful. For a single system with just a few users, LDAP is complete overkill and hardly worth the time it would take to master. I only use LDAP for single server networks because I am quite comfortable with LDAP and actually use it for other things than just Linux user authentication. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
