On Thu, Oct 06, 2011 at 09:14:35PM +0100, John Hodrien wrote:
place, I think it's hard to list *any* honest advantages over LDAP. Sorry, I don't consider performance to be a credible advantage, especially after nscd/sssd have had their way with caching results.
Then you've never seen Veritas Cluster Services fall over 'cos of the amount of time it takes to do initgroup() stuff (VCS loves to su to oracle to verify the DB is up; the su takes too long 'cos this is a complete scan of the group map and nscd don't help, here; DB failover occurs).
You've never seen unexpected DoS attacks 'cos of "netstat -a" 'cos of all the temporary ports 'cos nscd doesn't cache serv-by-port values when each request is a new port number.
You've never seen...
Oh, never mind.
LDAP (being TCP connection oriented) is a world of hurt when it comes to stability and performance in any large environment. NIS, being UDP, allows you to just "run". (By large, I'm talking 30,000 client machines on 5 continents).
That said:
A good LDAP setup with nested groups, and GSSAPI just beats NIS over the head with a stick in terms of security, and once you've got a good LDAP
This is true. NIS security is awful. Which is why we use LDAP :-)