[CentOS] NIS or not?
Matt Garman
matthew.garman at gmail.com
Tue Jan 28 17:38:03 UTC 2014
On Tue, Jan 28, 2014 at 9:18 AM, <m.roth at 5-cent.us> wrote:
> At this late date, I'd be really, *REALLY* leery of using NIS. You say
> that *most* of your traffic is local, suggesting that some of it is *not*.
> And, for that matter, how good are the firewalls keeping other traffic
> out?
>
> I'd say no to NIS. Yes, other answers may be more difficult to set up, but
> consider the alternatives.
>>>
>>> That is, we have an ever-growing list of special cases. UserA can
>>> login to servers 1, 2 and 3. UserB can log in to servers 3, 4, and 5.
>>> Nobody except UserC can login to server 6. UserD can login to
>>> machines 2--6. And so on and so forth.
>
> Here you may not realize you're distinguishing between authentication and
> authorization.
Yeah, I forgot to mention that we already have Kerberos in place for
authentication. It's authorization that is currently done by hand and
checked with a manual script. (I needed that for the secure mount
options NFSv4 provides.)
> I sincerely hope it's easier to set up and administer and upgrade than
> native LDAP. In '06, after a discussion with the other admin and manager I
> was working with at that job, I volunteered to set up openLDAP. Let's just
> say that the tools were NOT vaguely ready for prime time, though I did
> find that running webmin helped a *lot* to get it working.
I know you can find a horror story for any piece of software on the
Internet, but my impression is that LDAP has an unusually high number
of scary-sounding anecdotes. I know random Internet blogs forum posts
aren't really authoritative, but they do give me a little trepidation
regarding LDAP.
> We have an in-house written set of scripts that administer relevant
> configuration files, including /etc/passwd. It copies the correct version
> of that file (among many others) to each host, and shell of /bin/noLogin
> works just fine.
Why set the shell to /bin/noLogin, rather than simply not create that
user's /etc/passwd entry?
I don't have /bin/noLogin on any of my systems - I assume you
deliberately specified a non-existent program for the shell? What's
the difference between setting the user's shell to a bogus program
versus something like /bin/false?
More information about the CentOS
mailing list