Hello listmates,
I have discovered a very strange SFTP problem which I can not connect to anything but NIS thus far. See here:
http://www.linuxquestions.org/questions/linux-server-73/sftp-seems-to-fail-f...
http://readlist.com/lists/suse.com/suse-linux-e/38/193419.html
Hence the question: is NIS (YP) still in use much anywhere for authentication?
Thanks.
Boris.
On 2/10/10 4:27 AM, Boris Epstein wrote:
Hello listmates,
I have discovered a very strange SFTP problem which I can not connect to anything but NIS thus far. See here:
http://www.linuxquestions.org/questions/linux-server-73/sftp-seems-to-fail-f...
http://readlist.com/lists/suse.com/suse-linux-e/38/193419.html
Hence the question: is NIS (YP) still in use much anywhere for authentication?
Solaris still favours it, but mainly because Sun invented it. Most of the rest of us don't bother. I certainly haven't seen it anywhere except exclusively SunOS/Solaris based networks for ages.
Regards, Ben
On Oct 1, 2010, at 11:50 AM, Ben McGinnes wrote:
On 2/10/10 4:27 AM, Boris Epstein wrote:
Hello listmates,
I have discovered a very strange SFTP problem which I can not connect to anything but NIS thus far. See here:
http://www.linuxquestions.org/questions/linux-server-73/sftp-seems-to-fail-f...
http://readlist.com/lists/suse.com/suse-linux-e/38/193419.html
Hence the question: is NIS (YP) still in use much anywhere for authentication?
Solaris still favours it, but mainly because Sun invented it. Most of the rest of us don't bother. I certainly haven't seen it anywhere except exclusively SunOS/Solaris based networks for ages.
Regards, Ben
We still use it quite extensively, across 100 or so Linux, Solaris, and SunOS boxes.
Since we still have to maintain and support some very expensive industrial equipment that use SunOS, I'd hate to see it go away.
Take Care, Don
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Don Krause Sent: Friday, October 01, 2010 15:40 To: CentOS mailing list Subject: Re: [CentOS] how many people still use NIS?
On Oct 1, 2010, at 11:50 AM, Ben McGinnes wrote:
On 2/10/10 4:27 AM, Boris Epstein wrote:
Hello listmates,
<snip/>
Hence the question: is NIS (YP) still in use much anywhere for authentication?
Solaris still favours it, but mainly because Sun invented
it. Most of
the rest of us don't bother. I certainly haven't seen it anywhere except exclusively SunOS/Solaris based networks for ages.
Regards, Ben
We still use it quite extensively, across 100 or so Linux, Solaris, and SunOS boxes.
Since we still have to maintain and support some very expensive industrial equipment that use SunOS, I'd hate to see it go away.
We use it in our linux/windows SSO, about 75 machines. Eventually we will switch to LDAP, but until then...
-Jason
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00.
Hi there --
We use NIS on our site which is a mixture of HP-UX and Linux systems.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Ben McGinnes Sent: Friday, October 01, 2010 2:50 PM To: CentOS mailing list Subject: Re: [CentOS] how many people still use NIS?
On 2/10/10 4:27 AM, Boris Epstein wrote:
Hello listmates,
I have discovered a very strange SFTP problem which I can not connect to anything but NIS thus far. See here:
http://www.linuxquestions.org/questions/linux-server-73/sftp-seems-to-fail-f... is-accounts-under-openssh-5-x-816020/
http://readlist.com/lists/suse.com/suse-linux-e/38/193419.html
Hence the question: is NIS (YP) still in use much anywhere for authentication?
Solaris still favours it, but mainly because Sun invented it. Most of the rest of us don't bother. I certainly haven't seen it anywhere except exclusively SunOS/Solaris based networks for ages.
Regards, Ben
The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.
Boris Epstein wrote:
Hello listmates,
I have discovered a very strange SFTP problem which I can not connect to anything but NIS thus far. See here:
http://www.linuxquestions.org/questions/linux-server-73/sftp-seems-to-fail-f...
http://readlist.com/lists/suse.com/suse-linux-e/38/193419.html
Hence the question: is NIS (YP) still in use much anywhere for authentication?
I have no problems as a NIS user using sftp to a CentOS 5 box running OpenSSH 5.x
This isn't really a CentOS issue - as CentOS ships with OpenSSH v4.x
I suggest you download the vanilla OpenSSH 5.x source and build and install it on a host that has NIS accounts and test it.
James Pearson
James Pearson wrote:
Boris Epstein wrote:
Hello listmates,
I have discovered a very strange SFTP problem which I can not connect to anything but NIS thus far. See here:
http://www.linuxquestions.org/questions/linux-server-73/sftp-seems-to-fail-f...
http://readlist.com/lists/suse.com/suse-linux-e/38/193419.html
Hence the question: is NIS (YP) still in use much anywhere for authentication?
I have no problems as a NIS user using sftp to a CentOS 5 box running OpenSSH 5.x
This isn't really a CentOS issue - as CentOS ships with OpenSSH v4.x
I suggest you download the vanilla OpenSSH 5.x source and build and install it on a host that has NIS accounts and test it.
And I'd at *least* go to NIS+. openLDAP is an unbelievable pain, but that's the way I'd go, well, actually, when I was working at AT&T 4 years ago, I did go that way for our group, and where I'm at now, with the fed gov't, we've got AD through kerborous.
NIS is very insecure. scp works fine, as does rsync with ssh.
mark
On Fri, Oct 01, 2010 at 04:22:58PM -0400, m.roth@5-cent.us wrote:
And I'd at *least* go to NIS+. openLDAP is an unbelievable pain, but
Nobody in their right mind uses NIS+. Even Sun have stopped it.
When I did Solaris 2.4 training NIS+ took 2 chapters of the manual. When I did Solaris 9 training it took 2 sentences. Yes, NIS+ may be more secure than NIS, but it's a FPOS to use properly and not a recommended solution.
Stephen Harris wrote:
On Fri, Oct 01, 2010 at 04:22:58PM -0400, m.roth@5-cent.us wrote:
And I'd at *least* go to NIS+. openLDAP is an unbelievable pain, but
Nobody in their right mind uses NIS+. Even Sun have stopped it.
When I did Solaris 2.4 training NIS+ took 2 chapters of the manual. When I did Solaris 9 training it took 2 sentences. Yes, NIS+ may be more secure than NIS, but it's a FPOS to use properly and not a recommended solution.
*shrug* I've never used it. Trust me, openLDAP is a royal PITA, but with AD as an alternative....
mark
On Fri, Oct 1, 2010 at 4:46 PM, m.roth@5-cent.us wrote:
Stephen Harris wrote:
On Fri, Oct 01, 2010 at 04:22:58PM -0400, m.roth@5-cent.us wrote:
And I'd at *least* go to NIS+. openLDAP is an unbelievable pain, but
Nobody in their right mind uses NIS+. Even Sun have stopped it.
When I did Solaris 2.4 training NIS+ took 2 chapters of the manual. When I did Solaris 9 training it took 2 sentences. Yes, NIS+ may be more secure than NIS, but it's a FPOS to use properly and not a recommended solution.
*shrug* I've never used it. Trust me, openLDAP is a royal PITA, but with AD as an alternative....
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thanks... what is AD? I never even heard of that.
I think we are going to LDAP at some point - due to its universality if for no other reason.
Boris.
Boris Epstein wrote:
On Fri, Oct 1, 2010 at 4:46 PM, m.roth@5-cent.us wrote:
Stephen Harris wrote:
On Fri, Oct 01, 2010 at 04:22:58PM -0400, m.roth@5-cent.us wrote:
<snip>
When
I did Solaris 9 training it took 2 sentences. Yes, NIS+ may be more secure than NIS, but it's a FPOS to use properly and not a recommended solution.
*shrug* I've never used it. Trust me, openLDAP is a royal PITA, but with AD as an alternative....
Thanks... what is AD? I never even heard of that.
Windows. Active Directory, or whatever.
I think we are going to LDAP at some point - due to its universality if for no other reason.
Seems reasonable to me.
mark
On Fri, 2010-10-01 at 16:46 -0400, m.roth@5-cent.us wrote:
*shrug* I've never used it. Trust me, openLDAP is a royal PITA, but with AD as an alternative....
---- well AD *is* LDAP but it has many other services/requirements beyond LDAP.
As for OpenLDAP being a royal PITA, I suppose that's a matter of perspective because I've been using it for at least 7 years now and it works for me without any problems whatsoever. The only griping I hear is from people who expect to use it without actually taking the time to learn how it works.
Craig
Craig White wrote:
On Fri, 2010-10-01 at 16:46 -0400, m.roth@5-cent.us wrote:
*shrug* I've never used it. Trust me, openLDAP is a royal PITA, but with AD as an alternative....
well AD *is* LDAP but it has many other services/requirements beyond LDAP.
As for OpenLDAP being a royal PITA, I suppose that's a matter of perspective because I've been using it for at least 7 years now and it works for me without any problems whatsoever. The only griping I hear is from people who expect to use it without actually taking the time to learn how it works.
In later '06, I set it up, with nobody I worked with knowing anything about how to do it. The "tools" suck dead roaches, the error messages are lousy, and its error handling leases much to be desired, like, um, error handling. The documentation was mostly out of date, and written worse than old mainframe documentation (which I have, indeed, used).
Once its working, it's ok, but doing *anything* to it is a royal pain. I'm glad you have no trouble; I, and most folks I've spoken with about it, think the way I do.
mark
On Fri, 1 Oct 2010, Craig White wrote:
As for OpenLDAP being a royal PITA, I suppose that's a matter of perspective because I've been using it for at least 7 years now and it works for me without any problems whatsoever.
Agreed. I have found that LDAP, in the guise of OpenLDAP, is not very difficult at all once you have done your first setup, providing, as Craig says, you take the time to understand why you're doing what you're doing and you properly plan ahead. OpenLDAP also has excellent performance and is as solid as a rock.
Steve
On Oct 1, 2010, at 2:16 PM, Steve Thompson wrote:
On Fri, 1 Oct 2010, Craig White wrote:
As for OpenLDAP being a royal PITA, I suppose that's a matter of perspective because I've been using it for at least 7 years now and it works for me without any problems whatsoever.
Agreed. I have found that LDAP, in the guise of OpenLDAP, is not very difficult at all once you have done your first setup, providing, as Craig says, you take the time to understand why you're doing what you're doing and you properly plan ahead. OpenLDAP also has excellent performance and is as solid as a rock.
Steve _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Whats bizarre is the NIS/LDAP gateway that padl.com sells starting at $1500.
I said screw it and just migrated over to OpenLDAP.
Didn't think it was a PITA but then again, all IT is a PITA so non of it is if you catch my drift.
I mean if its all a PITA, then its not a PITA cuz PITA is PITA if there is no PITA to compare to.
- aurf
On Fri, Oct 01, 2010 at 02:47:09PM -0700, aurfalien@gmail.com wrote:
On Oct 1, 2010, at 2:16 PM, Steve Thompson wrote:
On Fri, 1 Oct 2010, Craig White wrote:
As for OpenLDAP being a royal PITA, I suppose that's a matter of perspective because I've been using it for at least 7 years now and it works for me without any problems whatsoever.
Agreed. I have found that LDAP, in the guise of OpenLDAP, is not very difficult at all once you have done your first setup, providing, as Craig says, you take the time to understand why you're doing what you're doing and you properly plan ahead. OpenLDAP also has excellent performance and is as solid as a rock.
Steve
Whats bizarre is the NIS/LDAP gateway that padl.com sells starting at $1500.
I said screw it and just migrated over to OpenLDAP.
Didn't think it was a PITA but then again, all IT is a PITA so non of it is if you catch my drift.
I mean if its all a PITA, then its not a PITA cuz PITA is PITA if there is no PITA to compare to.
What bites is if you already have a large AD environment in place along with legacy NIS.
It's obviously not efficient to maintain two separate environments with many of the same usernames...
AD does have "Unix Extensions" to expand their schema to make it more friendly for use as LDAP.. but it's pretty limited really. That and, what if you have many legacy Unix clients that can only talk NIS easily?
There are packages like LikeWise out there that can make this work fairly well -- they even have a free version.
Lately I've been thinking of using something like Fedora Directory Server to just sync up daily from AD and provide LDAP and NIS services via some sort of shim to older Unix clients who can't handle LDAP.
Note that Samba 3.3.x integrates pretty well with AD via winbind. If you can get good external uid mapping going you can even preserve UID's from your NIS environments.
It's definitely not as fast as NIS though as far as responsiveness...
Ray
On Oct 1, 2010, at 2:57 PM, Ray Van Dolson wrote:
On Fri, Oct 01, 2010 at 02:47:09PM -0700, aurfalien@gmail.com wrote:
On Oct 1, 2010, at 2:16 PM, Steve Thompson wrote:
On Fri, 1 Oct 2010, Craig White wrote:
As for OpenLDAP being a royal PITA, I suppose that's a matter of perspective because I've been using it for at least 7 years now and it works for me without any problems whatsoever.
Agreed. I have found that LDAP, in the guise of OpenLDAP, is not very difficult at all once you have done your first setup, providing, as Craig says, you take the time to understand why you're doing what you're doing and you properly plan ahead. OpenLDAP also has excellent performance and is as solid as a rock.
Steve
Whats bizarre is the NIS/LDAP gateway that padl.com sells starting at $1500.
I said screw it and just migrated over to OpenLDAP.
Didn't think it was a PITA but then again, all IT is a PITA so non of it is if you catch my drift.
I mean if its all a PITA, then its not a PITA cuz PITA is PITA if there is no PITA to compare to.
Note that Samba 3.3.x integrates pretty well with AD via winbind. If you can get good external uid mapping going you can even preserve UID's from your NIS environments.
Not for every one, but I scrapped using Samba as it quadruples your LDIFs and use pGina for Windows client auth to LDAP. Now I realize that LDAP is really fast but I just hated how my LDIFs looked after Samba got a hold of em. Samba is an awesome project so I'm not dissin them at all.
Again, I realize not a fit for every env, but I was lucky in not having any large AD/Windows population to deal with, perhaps only a few hundred is all.
-aurf
On Oct 1, 2010, at 2:57 PM, Ray Van Dolson wrote:
On Fri, Oct 01, 2010 at 02:47:09PM -0700, aurfalien@gmail.com wrote:
On Oct 1, 2010, at 2:16 PM, Steve Thompson wrote:
On Fri, 1 Oct 2010, Craig White wrote:
As for OpenLDAP being a royal PITA, I suppose that's a matter of perspective because I've been using it for at least 7 years now and it works for me without any problems whatsoever.
Agreed. I have found that LDAP, in the guise of OpenLDAP, is not very difficult at all once you have done your first setup, providing, as Craig says, you take the time to understand why you're doing what you're doing and you properly plan ahead. OpenLDAP also has excellent performance and is as solid as a rock.
Steve
Whats bizarre is the NIS/LDAP gateway that padl.com sells starting at $1500.
I said screw it and just migrated over to OpenLDAP.
Didn't think it was a PITA but then again, all IT is a PITA so non of it is if you catch my drift.
I mean if its all a PITA, then its not a PITA cuz PITA is PITA if there is no PITA to compare to.
What bites is if you already have a large AD environment in place along with legacy NIS.
It's obviously not efficient to maintain two separate environments with many of the same usernames...
AD does have "Unix Extensions" to expand their schema to make it more friendly for use as LDAP.. but it's pretty limited really. That and, what if you have many legacy Unix clients that can only talk NIS easily?
There are packages like LikeWise out there that can make this work fairly well -- they even have a free version.
Lately I've been thinking of using something like Fedora Directory Server to just sync up daily from AD and provide LDAP and NIS services via some sort of shim to older Unix clients who can't handle LDAP.
Note that Samba 3.3.x integrates pretty well with AD via winbind. If you can get good external uid mapping going you can even preserve UID's from your NIS environments.
It's definitely not as fast as NIS though as far as responsiveness...
Ray
Anybody use OpenDS instead of OpenLDAP? I just ask, because OpenDS is shipped as part of a large enterprise app we use (PTC WIndchill) and it doesn't seem as bad as OpenLDAP as far as the management tools go. -- Don
On Fri, Oct 01, 2010 at 05:16:49PM -0400, Steve Thompson wrote:
Agreed. I have found that LDAP, in the guise of OpenLDAP, is not very difficult at all once you have done your first setup, providing, as Craig says, you take the time to understand why you're doing what you're doing and you properly plan ahead. OpenLDAP also has excellent performance and is as solid as a rock.
The server is great... the client side not so much. Definitely ensure you have nscd running, 'cos without it you'll be making lots of TCP connections to the server and these are relatively slow (definitely compared to NIS which uses UDP).
On Fri, Oct 1, 2010 at 4:46 PM, m.roth@5-cent.us wrote:
Stephen Harris wrote:
On Fri, Oct 01, 2010 at 04:22:58PM -0400, m.roth@5-cent.us wrote:
And I'd at *least* go to NIS+. openLDAP is an unbelievable pain, but
Nobody in their right mind uses NIS+. Even Sun have stopped it.
When I did Solaris 2.4 training NIS+ took 2 chapters of the manual. When I did Solaris 9 training it took 2 sentences. Yes, NIS+ may be more secure than NIS, but it's a FPOS to use properly and not a recommended solution.
*shrug* I've never used it. Trust me, openLDAP is a royal PITA, but with AD as an alternative....
Both NIS+ and LDAP are a PITA but NIS+ less so, IMHO, probably because I learned it first. Anyway, NIS+ is pretty much history...
No one seems to like AD. I actually find it to be fairly manageable compared to stock LDAP/Kerberos. The management tools blow OpenLDAP out of the water. I laugh at myself saying it, but if you want simple management of a big installation, AD is pretty dang tested these days and it's not hard to integrate other systems in that environment if you have admin control of the schema.
-Iain
On Sat, Oct 2, 2010 at 3:24 PM, Tom H tomh0665@gmail.com wrote:
On Fri, Oct 1, 2010 at 4:46 PM, m.roth@5-cent.us wrote:
Stephen Harris wrote:
On Fri, Oct 01, 2010 at 04:22:58PM -0400, m.roth@5-cent.us wrote:
And I'd at *least* go to NIS+. openLDAP is an unbelievable pain, but
Nobody in their right mind uses NIS+. Even Sun have stopped it.
When I did Solaris 2.4 training NIS+ took 2 chapters of the manual.
When
I did Solaris 9 training it took 2 sentences. Yes, NIS+ may be more secure than NIS, but it's a FPOS to use properly and not a recommended solution.
*shrug* I've never used it. Trust me, openLDAP is a royal PITA, but with AD as an alternative....
Both NIS+ and LDAP are a PITA but NIS+ less so, IMHO, probably because I learned it first. Anyway, NIS+ is pretty much history... _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
No one seems to like AD. I actually find it to be fairly manageable compared to stock LDAP/Kerberos. The management tools blow OpenLDAP out of the water. I laugh at myself saying it, but if you want simple management of a big installation, AD is pretty dang tested these days and it's not hard to integrate other systems in that environment if you have admin control of the schema.
Microsoft have always been good at pretty GUIs for managing their product. It's why NT Domains succeeded and NIS+ failed, despite being very similar in concept.
Microsoft are _also_ learning why scripted access to their products is essential. Eventually they'll have the benefits of built-in adequate usable management tools and the flexibility of programmatic interfaces and it'll be a lot harder to justify Unix for infrastructure purposes.
Which'll put me out a job!
On Sat, Oct 2, 2010 at 9:02 PM, Iain Morris iain.t.morris@gmail.com wrote:
No one seems to like AD. I actually find it to be fairly manageable compared to stock LDAP/Kerberos. The management tools blow OpenLDAP out of the water. I laugh at myself saying it, but if you want simple management of a big installation, AD is pretty dang tested these days and it's not hard to integrate other systems in that environment if you have admin control of the schema.
As long as we are recommending non-CentOS, non-Linux systems, I'd like to mention OS X Server as a good GUI, works-straight-out-of-the-box implementation of OpenLDAP...
On Sat, 2010-10-02 at 21:40 -0400, Tom H wrote:
On Sat, Oct 2, 2010 at 9:02 PM, Iain Morris iain.t.morris@gmail.com wrote:
No one seems to like AD. I actually find it to be fairly manageable compared to stock LDAP/Kerberos. The management tools blow OpenLDAP out of the water. I laugh at myself saying it, but if you want simple management of a big installation, AD is pretty dang tested these days and it's not hard to integrate other systems in that environment if you have admin control of the schema.
As long as we are recommending non-CentOS, non-Linux systems, I'd like to mention OS X Server as a good GUI, works-straight-out-of-the-box implementation of OpenLDAP...
---- This discussion completely ignores the fact that user authentication is just one of the many things LDAP does. If all you are going to do with LDAP is simple user & group management then you have a lack of imagination.
It is a great disservice to suggest that AD tools 'blow OpenLDAP tools out of the water' or Apple's GUI implementation of their fork of OpenLDAP from several years ago are actually reasonable solutions. For that matter, you should have also mentioned Fedora-DS, RedHat-DS, FreeIPA which all use the previous Netscape Directory Server code that Red Hat has worked to open source because those all share a functional GUI.
There are also a number of very functional GUI's such as GoSA and LDAPAdmin if you require such crutches or for that matter, a properly configured LDAP & Samba configuration allows you to use Microsoft User and Group Management tools anyway.
The reality is that LDAP was designed to be completely flexible for many possible needs and Microsoft's AD, Apple's OpenDirectory, Fedora-DS (and derivatives) all use a predetermined setup that constrains the usage of LDAP rather than enhance it. Shared address books? Mail routing? Mail aliases? DNS?
Personally, I use Webmin's LDAP Users & Groups to manage LDAP users and groups which rather cleverly allows me to create all the custom attributes and objectclasses that I routinely use with LDAP that I could never get out of the other GUI's, give me infinitely more flexibility and power.
Craig
On Sat, Oct 2, 2010 at 7:29 PM, Craig White craigwhite@azapple.com wrote:
This discussion completely ignores the fact that user authentication is just one of the many things LDAP does. If all you are going to do with LDAP is simple user & group management then you have a lack of imagination.
Not to stray much further off the subject, nor defend AD much further on the CentOS list, but AD does a lot more than user/group auth. In fact it does everything in your list (DNS, mail access lists, etc), and quite a bit more out of the box.
Apple's Open Directory is a nice start, but pretty far behind in the race. In fact if I had a 1000 Mac installation, I'd rather build an AD domain and extend the schema to include the Apple attributes and use WG Manager for the Macs. I honestly believe Apple has put more engineering time into their AD plugin than their OD native interface.
Believe me I'm no Microsoft enthusiast, but AD is a capable and mature product for the job. Obviously for maximum flexibility stock MIT Kerberos and OpenLDAP win, but I think I'd be wasting a lot of time using them bare-bones when administrating a large multi-site organization. Open-source is free, but it's definitely not free once you start spending your evenings combing mailing lists and debugging fringe issues that keep your business from meeting its goals.
And NIS servers belong in a museum! :-)
There, hopefully I've offended everyone. Cent remains my favorite server OS by a _huge_ margin.
On Sat, 2010-10-02 at 21:52 -0700, Iain Morris wrote:
On Sat, Oct 2, 2010 at 7:29 PM, Craig White craigwhite@azapple.com wrote:
---- This discussion completely ignores the fact that user authentication is just one of the many things LDAP does. If all you are going to do with LDAP is simple user & group management then you have a lack of imagination.Not to stray much further off the subject, nor defend AD much further on the CentOS list, but AD does a lot more than user/group auth. In fact it does everything in your list (DNS, mail access lists, etc), and quite a bit more out of the box.
Apple's Open Directory is a nice start, but pretty far behind in the race. In fact if I had a 1000 Mac installation, I'd rather build an AD domain and extend the schema to include the Apple attributes and use WG Manager for the Macs. I honestly believe Apple has put more engineering time into their AD plugin than their OD native interface.
Believe me I'm no Microsoft enthusiast, but AD is a capable and mature product for the job. Obviously for maximum flexibility stock MIT Kerberos and OpenLDAP win, but I think I'd be wasting a lot of time using them bare-bones when administrating a large multi-site organization. Open-source is free, but it's definitely not free once you start spending your evenings combing mailing lists and debugging fringe issues that keep your business from meeting its goals.
---- AD yes, LDAP no
You have to go to different tools for everything...
Mail (routing/aliases) - Exchange DNS - Their DNS tool
I have no problem using OpenLDAP to setup/configure not only users but also automounts for Linux/Macintosh users, central user/group authentication and even share the home directories across the board (Linux/Macintosh/Windows users so regardless of which system they use, they have access to their same files). You aren't going to get that done with Active Directory tools.
Active Directory provides a fairly decent configuration tool set for the unimaginative administrator who wants to do everything the Microsoft way but try extending AD's LDAP. If I had a large multi-site organization, the last tool I would use is AD.
Craig
Iain Morris wrote:
On Sat, Oct 2, 2010 at 7:29 PM, Craig White <craigwhite@azapple.com mailto:craigwhite@azapple.com> wrote:
---- This discussion completely ignores the fact that user authentication is just one of the many things LDAP does. If all you are going to do with LDAP is simple user & group management then you have a lack of imagination.Not to stray much further off the subject, nor defend AD much further on the CentOS list, but AD does a lot more than user/group auth. In fact it does everything in your list (DNS, mail access lists, etc), and quite a bit more out of the box.
Apple's Open Directory is a nice start, but pretty far behind in the race. In fact if I had a 1000 Mac installation, I'd rather build an AD domain and extend the schema to include the Apple attributes and use WG Manager for the Macs. I honestly believe Apple has put more engineering time into their AD plugin than their OD native interface.
For a mixed installation with a bunch of Windows boxes, you're probably not going to get away from AD, so you might as well leverage it. Honestly, its a pretty slick kerberos+LDAP+etc integration. There are a few things it does wrong, but trying to beat its manageability, replication, etc with openldap+mit-krb5 is _hard_.
You may get it working, but then someone has to support it down the line. :)
As for Apple's OpenDirectory, I would not inflict it on anyone I like or had to support. While 2/3rds of it is openldap+mit-krb5, the third leg is their own proprietary crap that is frail, prone to obscure failures, generally undocumented, stores all the password hashes in yet another database on the server, doesn't handle replication, and generally interferes with your life.
And NIS servers belong in a museum! :-)
Of bad ideas? :)
Iain Morris wrote:
And NIS servers belong in a museum! :-)
Although NIS has a number of issues against it - it still has some pretty good things going for it. If you are on a private network and security is not a high priority, then NIS is something that can be easily set up. Some of the nice things about NIS on Linux are:
It is fairly simple to set up Comes with built in server redundancy and failover Has simple server load balancing built in Very lightweight on the client
James Pearson
On Mon, Oct 04, 2010 at 02:28:23PM +0100, James Pearson wrote:
easily set up. Some of the nice things about NIS on Linux are:
It is fairly simple to set up Comes with built in server redundancy and failover Has simple server load balancing built in Very lightweight on the client
It's ****ing fast :-)
On 10/1/10 2:27 PM, "Boris Epstein" borepstein@gmail.com wrote:
Hello listmates,
I have discovered a very strange SFTP problem which I can not connect to anything but NIS thus far. See here:
http://www.linuxquestions.org/questions/linux-server-73/sftp-seems-to-fail-f... -nis-accounts-under-openssh-5-x-816020/
http://readlist.com/lists/suse.com/suse-linux-e/38/193419.html
Hence the question: is NIS (YP) still in use much anywhere for authentication?
We use it for our mixed environment of Solaris and Linux (including CentOS) workstations. 100-150 machines, 600-700 users.
--- Mike VanHorn Senior Computer Systems Administrator College of Engineering and Computer Science Wright State University 265 Russ Engineering Center 937-775-5157 michael.vanhorn@wright.edu RSS: http://www.engineering.wright.edu/~mvanhorn/MikeVanHorn%27sNewsFeed.xml http://www.engineering.wright.edu/~mvanhorn/
On Oct 1, 2010, at 2:27 PM, Boris Epstein borepstein@gmail.com wrote:
Hello listmates,
I have discovered a very strange SFTP problem which I can not connect to anything but NIS thus far. See here:
http://www.linuxquestions.org/questions/linux-server-73/sftp-seems-to-fail-f...
http://readlist.com/lists/suse.com/suse-linux-e/38/193419.html
Hence the question: is NIS (YP) still in use much anywhere for authentication?
I have setup NIS where a winbind box builds NIS maps of Windows users without passwords of course and then the NIS clients use those maps coupled with Kerberos for authentication which worked well.
If the winbind service crashed or locked up there were still the maps to use until it was fixed, so better uptime then winbind alone.
Even without AD one could setup a Kerberos server and NIS database a lot easier then LDAP.
-Ross
On Fri, Oct 1, 2010 at 6:31 PM, Ross Walker rswwalker@gmail.com wrote:
On Oct 1, 2010, at 2:27 PM, Boris Epstein borepstein@gmail.com wrote:
Hello listmates,
I have discovered a very strange SFTP problem which I can not connect to anything but NIS thus far. See here:
http://www.linuxquestions.org/questions/linux-server-73/sftp-seems-to-fail-for-nis-accounts-under-openssh-5-x-816020/ http://www.linuxquestions.org/questions/linux-server-73/sftp-seems-to-fail-f...
http://readlist.com/lists/suse.com/suse-linux-e/38/193419.html http://readlist.com/lists/suse.com/suse-linux-e/38/193419.html
Hence the question: is NIS (YP) still in use much anywhere for authentication?
Even without AD one could setup a Kerberos server and NIS database a lot easier then LDAP.
-Ross
Really!?
I dunno, what you just described sounds a lot more complex then setting up an OpenLDAP server, even with replication.
-
aurf alien -
aurfalien@gmail.com
-
Ben McGinnes -
Boris Epstein -
Craig White -
Don Krause -
Iain Morris -
James Pearson -
Jason Pyeron -
John Jasen -
Kaplan, Andrew H. -
m.roth@5-cent.us -
Mike VanHorn -
Ray Van Dolson -
Ross Walker -
Stephen Harris -
Steve Thompson -
Tom H