On Nov 4, 2011, at 2:48 PM, Boris Epstein <borepstein at gmail.com> wrote: > Hello listmates, > We are currently running NIS for authentication but would like to > migrate to LDAP. Thing is, though, that some of the machines that > authenticate via NIS are so old I'd rather not even touch them. > Hence the question - is there a good way to have an NIS server for > user authentication that is a mirror image of an LDAP server, with a > proviso that an update introduced there is replicated in the LDAP > server's databases? You could have the NIS maps setup by your capable LDAP clients. Use getent on those boxes and filter out the local accounts, set them up as NIS servers but make sure they don't reference both NIS and LDAP. In my environment I have my NIS servers use winbind to get AD accounts into NIS as winbind will map Windows UUIDs to UIDs and GIDs. Just customized the map building scripts to use getent and filtered out the local accounts. If I migrate over to OpenLDAP in the future I merely change this on the NIS servers. I could also merge both AD and OpenLDAP if UIDs and GIDs don't collide. All authentication is handled by Kerberos, so password management doesn't need to fit in, the only thing that might require extra config is the shell management stuff. I just standardize on bash across the board here. -Ross