[CentOS] Replace NIS by Active Directory

Fri Mar 18 15:07:30 UTC 2011
Nico Kadel-Garcia <nkadel at gmail.com>

On Fri, Mar 18, 2011 at 10:42 AM, John Hodrien <J.H.Hodrien at leeds.ac.uk> wrote:
> On Fri, 18 Mar 2011, Nico Kadel-Garcia wrote:
>
>> It can otherwise be done manually, but the data entry time wasted for
>> your engineers well justifies the price of a Centrify license or two.
>
> What do you mean by manually?  Can't this all be done with ypcat, ldapmodify
> and a shell script?  After which, you are entirely liberated from NIS.
>
> jh

In theory, yes. In practice........ I've done that. Getting the buy-in
from the Active Directory owners to manually run ldapmodify against
their hosts can be politically painful. The nice GUI from Centrify,
that has the NIS import facility, does a pretty good job, and can be
very helpful to remind you that mixed case groups and usernames are
problematic, that some systems don't deal well with non-alphanumeric
characters such as '_' or '-', that the default maximum group or
username is 8 characters, that there's a maximum number of characters
in an NIS or POSIX compatible line such as a group membership list and
they need to be split up to multiple entries with the same gid, etc.,
etc., etc.

It gets very expensive in engineering time, very fast, especially if
people have been "clever" and already created correspondence between
AD groups and NIS groups or users of various sorts, but weren't
consistent about their naming schemes.