[tech] LDAP authentication

[Grahame Bowland UCC]

Hi all,

We now have LDAP authentication. There is an OpenLDAP server 
running on mussel with all of our users in it. It supports 
bind operations against user records to verify passwords.

Tangerine (the iMac) is now doing LDAP authentication, 
although with an absolutely horrible wait to log in. The 
delay does not appear to be directly LDAP related; it seems 
to be doing NetInfo lookups, failing, then doing LDAP and 
then immediately working.

Once you have logged in it all works fine - home directory, 
applications run, it's all good.

Details for people configuring LDAP authentication on UCC 
machines:
  * base DN is: o=The University Computer Club,c=AU
  * script to generate LDAP config: ~grahame/ldap/run.sh
  * currently populated from NIS

If you ssh into tangerine as a normal user it's fine, you'll 
have a home directory and there won't be timeouts. The problem 
seems to be with the GUI login application.

I'm trying to find out how people on campus are getting around
this, although I suspect most departments are running Apple's 
'OpenDirectory' LDAP server which gets around the problem 
by populating NetInfo too.

(The reason I did this: NIS is broken in 10.2 and won't be 
 fixed. And I wanted to get Nautilus onto 10.2 so we can use 
 the nice new applications, and get a slightly less jelly-bean 
 based UI experience.)

For sanity, please email tech if you either play with the LDAP 
on tangerine or touch the LDAP server config so that we're not 
working at cross-purposes.

Cheers,
Grahame

PS: I hear rumours that OpenLDAP + Kerberos is a go for Win2K 
    if you sacrifice enough chickens.

PPS: I've tried to change the lookupd configuration in NetInfo 
     although it doesn't seem to have helped.