[CentOS] Seeking advice about auth/home serving

Ross Walker rswwalker at gmail.com
Thu Oct 16 14:22:41 UTC 2008 

On Wed, Oct 15, 2008 at 11:08 PM, MHR <mhullrich at gmail.com> wrote:
> On Wed, Oct 15, 2008 at 7:13 PM, Ross Walker <rswwalker at gmail.com> wrote:
>>
>> Sigh...
>>
>> I resist top posting and trim and thread my replies, stay on topic, am
>> polite, all while tapping out on my iPhone display.
>>
>> But that ain't enough no, now I have to watch my run on sentences!
>>
>> Sheesh, from now on MHR, your  name will be Grumpy.
>>
>> So Grumps, if my answers bring up more questions then why not just ask for
>> clarification rather then get all over my poor punctuation?
>>
>
> Oh, such ammunition!  >:^)
>
> That's what you get for using an iPhone!
>
> No, wait, that's cruel.
>
> Ross, you're better than that!
>
> Hmm, that doesn't really say it, either.
>
> Y'know, I can't really think up a good comeback.  Grump, grump, grump....
>
> Wait!  I know:
>
> So, what did that sentence really mean?

Basically, in a nutshell what I was trying to get across is:

1) Keep passwords in local passwd files or Kerberos, using NIS or LDAP for
passwords is generally not a good idea as there are too many ways these can be
compromised. I realize one can hack Heimdal Kerberos and OpenLDAP to work
together keeping Kerberos information in LDAP like Active Directory does, but
it is a complex unsupported hack that is sure to break at some point if either
side is upgraded. If that's what you want, go out and buy an Active Directory
server and integrate it into your Linux environment.

2) Use of LDAP for most small environments is overkill. NIS for auto-mount maps
and account information (passwords stripped), is more then adequate here, but
as the organization grows you may find NIS harder to manage then LDAP, so at
that time I would migrate from NIS to LDAP. Of course there may be other reasons
to use LDAP over NIS, such as third party application support where third party
application configuration information is distributed through LDAP. Of
course your
choice will be based on your requirements independant of what anybody like
myself says.

I hope that helps clarify things.


-Ross

More information about the CentOS mailing list