The problem is that I want to be able to install my next hundred boxes running an assortment of OS versions that I don't know about yet, and have them find whatever attributes they need already available. I don't want to have to tweak the server every time I add a new service. In fact I want it to work without the person adding a new box/service having access to modify the LDAP server.
For most part, various components will use same attributes, so it will be usually easy to integrate new stuff with LDAP database. However, having static LDAP setup, that you can put in place and forget about is kind of unrealistic. LDAP is extensible, and that is what is great about it. It comes with a price. If nothing else, you might want to extend it and add attributes specific to your company/environment. There's no way to standardize those, unless each and every imaginable bussiness starts to be managed in *exactly* the same way (to the last tiny bit of detail). Something that isn't going to happen.
You want to add Sendmail LDAP mail routing for that user, add inetLocalMailRecipient to list of his objectClass(es), and add attributes such as mailLocalAddress or mailRoutingAddress. You don't create separate tree for every service that needs to store data about user. You add object classes needed to describe user to his objectClass attribute, and than you add service specific attributes.
But isn't this already well enough understood to just be included
in one standard format?
Well it is. Hower (some of the) data that one implementation of some service can use, might be unusable by another. Both can be perfect implementations of a protocol as defined by RFC. But both will have specific additional features to make your life easier. For example, something that is trivial to implement in Sendmail, might not be easy job for Postfix. Or vice versa.
I don't really want to know that I'm modifying things in LDAP to add a user or change a password. The tool that adds users should do all the grunge work. If it needs to store the password in 3 different format to work, it should do it. I think there are such tools - the problem is that there is more than one and they probably don't all interoperate.
No, I don't want a custom tool - I don't want to need a custom tool. I want a stock schema that provides all the attributes that all the tools in the base distribution know how to use, and a standard tool that populates them. Anything else seems as bizarre as having to decide on your own fields and layout of the passwd file before you could add any users. What is it about LDAP that has kept it from being standardized years ago?
It is hard to standardize on something extensible. Anybody (including you and me) can add custom attributes and extend standard schemas. A tool that would be used for managing users, would need to be extendible too. It's far more complex that adding a line to /etc/passwd.
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7