On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.roth@5-cent.us wrote:
Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH
NIS+ is a dead product. Even Sun gave up pushing it. (Funny; in 1995 the Solaris training courses barely mentioned NIS and had 2 or 3 chapters on NIS+; in 2007 the equivalent course had a bit on NIS, didn't mention NIS+ at all, and had 2 or 3 chapters on LDAP). Don't migrate to NIS+.
directory server (which I've never worked with), or openLDAP (which is, IMO, NOT ready for prime time, but is built for security.
The problem with LDAP is that it's a lot slower than NIS, and nscd is essential in order to get even minimally adequate performance. Unfortunately. I say "unfortunately" because in many respects LDAP is superior to NIS (especially with respect to security). Just not needing crypt strings is a big win. I use it at work, but very carefully :-)
NIS is insecure, but it has a massive advantage of being fast and (normally) "just works". Evaluate the security in your environment and determine if the risk is acceptable.