Laurent Wandrebeck wrote:
Matt Garman matthew.garman@gmail.com a écrit :
On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu Sorin.Srbu@orgfarm.uu.se wrote:
The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that.
Comments and insights are much appreciated!
A related question: is NIS or LDAP (or something else entirely) better if the machines are not uniform in their login configuration?
At this late date, I'd be really, *REALLY* leery of using NIS. You say that *most* of your traffic is local, suggesting that some of it is *not*. And, for that matter, how good are the firewalls keeping other traffic out?
I'd say no to NIS. Yes, other answers may be more difficult to set up, but consider the alternatives.
That is, we have an ever-growing list of special cases. UserA can login to servers 1, 2 and 3. UserB can log in to servers 3, 4, and 5. Nobody except UserC can login to server 6. UserD can login to machines 2--6. And so on and so forth.
Here you may not realize you're distinguishing between authentication and authorization.
I currently have a custom script with a substantial configuration file for checking that the actual machines are configured as per our intent. It would be nice if there was a single tool where the configuration and management/auditing could be rolled into one.
We have an in-house written set of scripts that administer relevant configuration files, including /etc/passwd. It copies the correct version of that file (among many others) to each host, and shell of /bin/noLogin works just fine.
You’d be fine with IPA which allows you to create such rules.
I'd vaguely heard of IPA, so I just looked it up. *chuckle* You do notice that it has its own implementation of LDAP and uses kerboros, right? So seems like several folks are recommending LDAP and kerboros.
I sincerely hope it's easier to set up and administer and upgrade than native LDAP. In '06, after a discussion with the other admin and manager I was working with at that job, I volunteered to set up openLDAP. Let's just say that the tools were NOT vaguely ready for prime time, though I did find that running webmin helped a *lot* to get it working.
But that was nearly 8 years ago....
mark