Preface: I know that printing isn't working. Neither are the test pages.
It's entirely possible that the ldp addresses of the printers have
changed. It's more likely that what Andrew and I did with hosts.allow
has a lot more to do with it. In either case, I'll be looking into it.
So to go over LDAP:
We have our openLDAP server. Don't think of it as centralized user
authentication, but think of it as a different kind of database.
Each entry has a distinguished name (DN) based on it's location in the
The root DN for our database is "dc=cssa"
i.e. the root of our tree
The DN for groups is "ou=Groups,dc=cssa"
i.e. The entry ou=Groups with parent dc=cssa.
The DN for people is "ou=People,dc=cssa"
i.e. The entry ou=Peoples with parent dc=cssa.
The DN for my account is "uid=deadowl,ou=People,dc=cssa"
So, in essence, this is structured like a file system tree, where
entries have parents.
The actual entry is like a table with a set of fields. Since it's an
object-oriented database, you can have repetitions of some fields
depending on how their defined in the schema (ex. UserPassword wouldn't
The entries for a person, for instance, has fields like userPassword,
uid, uidNumber, mail, etc. These are a compilation of the schema-defined
attributes from the schemas: posixAccount, shadowAccount, and
inetOrgPerson. The entries for groups use the posixGroup schema. The ou
entries use the OrganizationalUnit schema.
Because these schemas are standard, it allows our machines to use the
LDAP server for authentication. You can use LDAP for a lot more than
just groups and users. Many people have machines, for instance, listed
in their LDAP server. There are standard schemas for doing other things,
too, like managing a DHCP server (although dhcpd.conf isn't really all
Now how do our clients authenticate against the server? NSS+PAM.
NSS = Name Service Switch. It can use LDAP on its own.
nsswitch.conf is the file it uses.
It essentially says where to get things the operating system needs and
in what order.
NSS refers to ldap.conf to get information for things such as accessing
the LDAP server.
PAM = Pluggable Authentication Module
PAM modules allow for an easier means of authentication. We use an
additional PAM module, other than the ones set up by default that make a
home folder for the user if one doesn't exist (on masterhand and