[1006] in athena10
Re: nss: hesiod -> ldap for groups?
daemon@ATHENA.MIT.EDU (Jacob Morzinski)
Tue Jan 27 14:19:06 2009
To: Geoffrey Thomas <geofft@mit.edu>
Cc: athena10@mit.edu
From: Jacob Morzinski <morzinski@MIT.EDU>
Date: Tue, 27 Jan 2009 14:18:08 -0500
In-Reply-To: <athena10:990@unknown-discuss-server> (Geoffrey Thomas's
message of "Mon, 26 Jan 2009 16:33:47 -0500 (EST)")
Message-ID: <w6m63k0sglr.fsf@horobi.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Geoffrey Thomas <geofft@MIT.EDU> writes:
> Hm, I'm not familiar with MIT's AD setup. Is the LDAP server
> win.mit.edu, or something else? I'm not sure how to bind to it to
> query and poke at it; there's no ldap/win.mit.edu keytab, and it
> seems not to accept simple authentication (-x).
My first impression is that AD on win.mit.edu does a better job
of holding useful information than ldap.mit.edu does.
Unfortunately, AD on win.mit.edu is awkward to access.
I had to build a local kerberized ldapsearch (actually, a local libsasl)
and hack my machine's krb5.conf to know that .win.mit.edu = WIN.MIT.EDU;
but this was a few years ago, and I've forgotten the precise details
of the bugs/warts I was working around.
With all that in place, I can query the AD on win.mit.edu.
Here is an example of a query and an example of the results.
(I've trimmed it to try to keep it readable)
athena$ /var/local/ldap/bin/ldapsearch -h win.mit.edu -b ou=moira,dc=win,dc=mit,dc=edu cn=jmorzins info objectCategory member
# jmorzins, users, Moira, WIN.MIT.EDU
dn: CN=jmorzins,OU=users,OU=Moira,DC=WIN,DC=MIT,DC=EDU
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=WIN,DC=MIT,DC=EDU
# jmorzins, group, lists, Moira, WIN.MIT.EDU
dn: CN=jmorzins,OU=group,OU=lists,OU=Moira,DC=WIN,DC=MIT,DC=EDU
member: CN=jmorzins,OU=users,OU=Moira,DC=WIN,DC=MIT,DC=EDU
info: The Administrator of this list is: jmorzins
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=WIN,DC=MIT,DC=EDU
--
Jacob Morzinski jmorzins@mit.edu
