Apart from ipa are there any other good tools out there for centralised user auth?
thanks
On Wed, Mar 24, 2010 at 5:17 PM, Tom Brown tom@ng23.net wrote:
Apart from ipa are there any other good tools out there for centralised user auth?
thanks
LDAP? MySQL based authentication, depending on how / where you want to apply it AD ?
Apart from ipa are there any other good tools out there for centralised user auth?
I am currently testing LDAP (openldap) combined with nss_ldap, configured with authconfig.
It works and the nice thing is that you can have consistent authentication at OS and application level (apache, PHP, java, etc.). Combined with NFS mounted home directories, it also gives you consistent uids across the hosts.
However I am still evaluating the security implications of the bind process: if the access rights are too restrictive in openldap it doesn't work. It depends if everything will run in the same LAN or if you need external access. Then you probably need to go the client certificate route + SSL/TLS, which is not trivial to deploy (but works as well).
If you go this way, I can share some of my findings in more details.
http://en.wikipedia.org/wiki/Network_Information_Service
it used to be called "yp" or "yellow pages". it works with samba too.
jobst
On Wed, Mar 24, 2010 at 03:17:04PM +0000, Tom Brown (tom@ng23.net) wrote:
Apart from ipa are there any other good tools out there for centralised user auth?
thanks
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Jobst Schmalenbach a écrit :
http://en.wikipedia.org/wiki/Network_Information_Service
it used to be called "yp" or "yellow pages". it works with samba too.
I'm new to centralized user authentication, and I want to learn how to do it. I've heard that NIS is a deprecated technology, and that one should favour LDAP over it. I'd be curious if someone could explain the facts behind this (or even if it's true or not).
Niki
On Fri, 2010-03-26 at 08:03 +0100, Niki Kovacs wrote:
Jobst Schmalenbach a écrit :
http://en.wikipedia.org/wiki/Network_Information_Service
it used to be called "yp" or "yellow pages". it works with samba too.
I'm new to centralized user authentication, and I want to learn how to do it. I've heard that NIS is a deprecated technology, and that one should favour LDAP over it. I'd be curious if someone could explain the facts behind this (or even if it's true or not).
---- true
LDAP is also much more robust and versatile. You can keep extending it for many things like mail routing/delivery/aliases, integration with Samba/Netatalk/ for Windows/Macintosh users, automounts, shared address books and more than just authentication.
Craig
it used to be called "yp" or "yellow pages". it works with samba too.
I'm new to centralized user authentication, and I want to learn how to do it. I've heard that NIS is a deprecated technology, and that one should favour LDAP over it. I'd be curious if someone could explain the facts behind this (or even if it's true or not).
true
LDAP is also much more robust and versatile. You can keep extending it for many things like mail routing/delivery/aliases, integration with Samba/Netatalk/ for Windows/Macintosh users, automounts, shared address books and more than just authentication.
NIS is also extensible in this fashion.. to an extent. It can handle automounts and routing but not shared address books as an example. Just FYI.
To address the question of NIS vs LDAP or other similar systems more directly, the NIS codebase is one of those applications that predates modern usage of the Internet and lacks secure coding principles that are necessary in today's world. In other words: it is not secure. That is one major reason. There is not much effort going into NIS these days, so bugs fixes and extensibility fixes are not likely to come in a timely fashion. It is poorly supported outside of the SunOS/Solaris/AIX world, in particular.
I prefer NIS to LDAP, but that is most likely because I "grew up" with NIS. I find it easier to manage and edit, but it just doesn't fit the bill in today's world. I do not recommend it to any of my customers.
-geoff
--------------------------------- Geoff Galitz Blankenheim NRW, Germany http://www.galitz.org/ http://german-way.com/blog/
Jobst Schmalenbach a écrit :
http://en.wikipedia.org/wiki/Network_Information_Service
it used to be called "yp" or "yellow pages". it works with samba too.
I'm new to centralized user authentication, and I want to learn how to do it. I've heard that NIS is a deprecated technology, and that one should favour LDAP over it. I'd be curious if someone could explain the facts behind this (or even if it's true or not).
NIS is *very* insecure and I *think* uses clear text (it was a kinder, gentler age). NIS+ is slightly better, but not a whole lot. LDAP is expecting encryption, at least SSL.
mark
On Fri, Mar 26, 2010 at 9:41 AM, m.roth@5-cent.us wrote:
I'm new to centralized user authentication, and I want to learn how to do it. I've heard that NIS is a deprecated technology, and that one should favour LDAP over it. I'd be curious if someone could explain the facts behind this (or even if it's true or not).
NIS is *very* insecure and I *think* uses clear text (it was a kinder, gentler age). NIS+ is slightly better, but not a whole lot. LDAP is expecting encryption, at least SSL.
That's the heart of it... NIS was fine in a younger and more innocent day :) NIS+ was ostensibly more secure but was a pain to get quite perfect. In many of the shops I visited that were using NIS+ there were lots of misconfigurations that exposed more than planned.
On Fri, Mar 26, 2010 at 09:51:53AM -0400, Kwan Lowe wrote:
That's the heart of it... NIS was fine in a younger and more innocent day :) NIS+ was ostensibly more secure but was a pain to get quite perfect. In many of the shops I visited that were using NIS+ there were lots of misconfigurations that exposed more than planned.
And Sun, the pushers of NIS+, dropped NIS+ support before they dropped NIS support :-)
-
Craig White -
Geoff Galitz -
Jobst Schmalenbach -
Kwan Lowe -
m.roth@5-cent.us -
Mathieu Baudier -
Niki Kovacs -
Rob Kampen -
Rudi Ahlers -
Stephen Harris -
Tom Brown