[CentOS] NIS failover
Stephen Harris
lists at spuddy.org
Thu Dec 17 19:58:11 UTC 2009
On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.roth at 5-cent.us wrote:
> Not one you want to hear: ditch NIS. It's known to have a *lot* of
> security holes. At the very least, NIS+. Better would be either RH
NIS+ is a dead product. Even Sun gave up pushing it. (Funny; in 1995 the
Solaris training courses barely mentioned NIS and had 2 or 3 chapters on
NIS+; in 2007 the equivalent course had a bit on NIS, didn't mention NIS+
at all, and had 2 or 3 chapters on LDAP). Don't migrate to NIS+.
> directory server (which I've never worked with), or openLDAP (which is,
> IMO, NOT ready for prime time, but is built for security.
The problem with LDAP is that it's a lot slower than NIS, and nscd
is essential in order to get even minimally adequate performance.
Unfortunately. I say "unfortunately" because in many respects LDAP is
superior to NIS (especially with respect to security). Just not needing
crypt strings is a big win. I use it at work, but very carefully :-)
NIS is insecure, but it has a massive advantage of being fast and
(normally) "just works". Evaluate the security in your environment and
determine if the risk is acceptable.
--
rgds
Stephen
More information about the CentOS
mailing list