Maintaining Users Passwords Through an Upgrade

Craig White craigwhite at azapple.com
Sat Dec 10 17:30:51 UTC 2011 

On Sat, 2011-12-10 at 16:20 +0000, mike cloaked wrote:
> On Sat, Dec 10, 2011 at 3:37 PM, Genes MailLists <lists at sapience.com> wrote:
> > On 12/10/2011 10:29 AM, johnc0102 at verizon.net wrote:
> >> I maintain a server with a number of users, and just recently upgraded to
> >>
> >> Fedora 16 from Fedora 11. I did a clean install so all of the users now
> >> have
> >>
> >> to reset their passwords. The question I have is: what is the preferred
> >> method
> >>
> >> of managing user passwords so that their passwords will carry over to
> >> the new
> >>
> >> installation? Should I set up a NIS server on the machine? Would that
> >> maintain
> >>
> >> the passwords across the upgrades?
> >>
> >
> >  You could - or you could use LDAP (preferred but more complicated) or
> > the simplest is you could keep the user parts of
> >
> >  /etc/password
> >       shadow
> >       group
> >       gshadow
> >
> >  and edit them back into the fresh install files.
> 
> I guess if there are only a few machines involved with the same small
> set of users then copying back the relevant sections of the files
> mentioned is relatively painless - but if the user base grows and
> there are many more machines it would become desirable to move to a
> central user auth system - like LDAP - in the past I have tried to
> look through the documentation with a view to implementing an LDAP
> scheme - such as 389 Directory Server - but I found that documentation
> was (for me) rather difficult to digest to a stage where I could
> easily get started - I wonder if anyone knows a good source of online
> advice to offer a "starter" guide to implementing 389? Would be really
> useful.
----
there is no open source magic bullet for LDAP primarily because there is
no one way since LDAP is quite a pliable system. On the other hand, if
you adopt Microsoft Active Directory the LDAP setup is hard wired.

Essentially 389 server (formerly known as Fedora Directory Server) is
pre-wired and if you just run with it, you will get a setup with a
prescribed structure for users and groups which is fine and reasonably
easy to use with their java based console.

The problem is not really just LDAP though - because you can get going
relatively easily with the 389 server but then you have to figure out
how to wire in things like user authentication and eventually it becomes
evident that LDAP wasn't really designed to do authentication but rather
there are other elements of the OS that can obtain user/group
authentication bits from LDAP but must be configured separately and are
not at all part of LDAP.

Personally, I use OpenLDAP but did use Fedora Directory Server in the
past and found it eminently usable and in some ways, perhaps easier than
OpenLDAP but I'm more into the freedom and feature set of OpenLDAP. At
some point though, I may just switch because FreeIPA is getting very
close to becoming really useful.

For a single system with just a few users, LDAP is complete overkill and
hardly worth the time it would take to master. I only use LDAP for
single server networks because I am quite comfortable with LDAP and
actually use it for other things than just Linux user authentication.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the users mailing list