Hello listmates, We are currently running NIS for authentication but would like to migrate to LDAP. Thing is, though, that some of the machines that authenticate via NIS are so old I'd rather not even touch them. Hence the question - is there a good way to have an NIS server for user authentication that is a mirror image of an LDAP server, with a proviso that an update introduced there is replicated in the LDAP server's databases? Thanks. Boris.
Hence the question - is there a good way to have an NIS server for user authentication that is a mirror image of an LDAP server, with a proviso that an update introduced there is replicated in the LDAP server's databases?
I don't know of any "syncing" mechanisms between an existing NIS environment and an existing LDAP environment, but if you are willing to migrate to something new that provides both, you might try FreeIPA.
http://freeipa.org/page/NIS_Compatibility
-- Jonathan
On Fri, Nov 4, 2011 at 6:55 PM, Jonathan Nilsson jnilsson@uci.edu wrote:
Hence the question - is there a good way to have an NIS server for user authentication that is a mirror image of an LDAP server, with a proviso that an update introduced there is replicated in the LDAP server's databases?
I don't know of any "syncing" mechanisms between an existing NIS environment and an existing LDAP environment, but if you are willing to migrate to something new that provides both, you might try FreeIPA.
http://freeipa.org/page/NIS_Compatibility
-- Jonathan
Jonathan,
Thank you very much, this sounds like an excellent idea!
Boris.
On Fri, Nov 04, 2011 at 09:11:01PM -0400, Boris Epstein wrote:
On Fri, Nov 4, 2011 at 6:55 PM, Jonathan Nilsson jnilsson@uci.edu wrote:
Hence the question - is there a good way to have an NIS server for user authentication that is a mirror image of an LDAP server, with a proviso that an update introduced there is replicated in the LDAP server's databases?
Thank you very much, this sounds like an excellent idea!
If you don't mind paying, PADL may do what you want http://www.padl.com/Products/NISLDAPGateway.html
Or fire up a Solaris 10 instance, which may also do what you want
Both will take an LDAP server and "republish" as NIS. LDAP is authoratative and all changes must be made there (so you can't make your NIS map from NIS sources and expect the changes to propagate to LDAP).
On Nov 4, 2011, at 2:48 PM, Boris Epstein borepstein@gmail.com wrote:
Hello listmates, We are currently running NIS for authentication but would like to migrate to LDAP. Thing is, though, that some of the machines that authenticate via NIS are so old I'd rather not even touch them. Hence the question - is there a good way to have an NIS server for user authentication that is a mirror image of an LDAP server, with a proviso that an update introduced there is replicated in the LDAP server's databases?
You could have the NIS maps setup by your capable LDAP clients. Use getent on those boxes and filter out the local accounts, set them up as NIS servers but make sure they don't reference both NIS and LDAP.
In my environment I have my NIS servers use winbind to get AD accounts into NIS as winbind will map Windows UUIDs to UIDs and GIDs. Just customized the map building scripts to use getent and filtered out the local accounts.
If I migrate over to OpenLDAP in the future I merely change this on the NIS servers. I could also merge both AD and OpenLDAP if UIDs and GIDs don't collide.
All authentication is handled by Kerberos, so password management doesn't need to fit in, the only thing that might require extra config is the shell management stuff. I just standardize on bash across the board here.
-Ross
-
Boris Epstein -
Jonathan Nilsson -
Ross Walker -
Stephen Harris