[CentOS] NIS failover

Stephen Harris lists at spuddy.org
Thu Dec 17 19:58:11 UTC 2009


On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.roth at 5-cent.us wrote:
> Not one you want to hear: ditch NIS. It's known to have a *lot* of
> security holes. At the very least, NIS+. Better would be either RH

NIS+ is a dead product.  Even Sun gave up pushing it.  (Funny; in 1995 the
Solaris training courses barely mentioned NIS and had 2 or 3 chapters on
NIS+; in 2007 the equivalent course had a bit on NIS, didn't mention NIS+
at all, and had 2 or 3 chapters on LDAP).  Don't migrate to NIS+.

> directory server (which I've never worked with), or openLDAP (which is,
> IMO, NOT ready for prime time, but is built for security.

The problem with LDAP is that it's a lot slower than NIS, and nscd
is essential in order to get even minimally adequate performance.
Unfortunately.  I say "unfortunately" because in many respects LDAP is
superior to NIS (especially with respect to security).  Just not needing
crypt strings is a big win.  I use it at work, but very carefully :-)

NIS is insecure, but it has a massive advantage of being fast and
(normally) "just works".  Evaluate the security in your environment and
determine if the risk is acceptable.

-- 

rgds
Stephen


More information about the CentOS mailing list