[CentOS] Odd issue with C6 and NIS

John Hodrien

J.H.Hodrien at leeds.ac.uk
Thu Oct 6 20:14:35 UTC 2011


On Thu, 6 Oct 2011, Steve Rikli wrote:

> In article <alpine.LRH.2.00.1110060937180.9689 at pfcpm187.yrrqf.np.hx>, John Hodrien  <centos at centos.org> wrote:
>> On Wed, 5 Oct 2011, Steve Rikli wrote:
>>
>>> ...
>>> I'll also readily agree I wouldn't want NIS on internet-facing systems,
>>> but for things like automount maps on the internal corporate LAN, is
>>> it really a catastropic problem?
>>
>> The problem you get is when you compare it with LDAP.
>
> Compare in what way?  What characteristics are you contrasting?  I'm
> genuinely trying to understand the problem you're talking about for
> the case I've presented, and pro-con from someone who has done both
> would be appreciated.

I'm not saying NIS is catastrophically bad for an internal system that you
consider to be 'safe', it just comes from a time when security wasn't high up
the list of worries.  Other than it being easy as cake to setup in the first
place, I think it's hard to list *any* honest advantages over LDAP.  Sorry, I
don't consider performance to be a credible advantage, especially after
nscd/sssd have had their way with caching results.

A good LDAP setup with nested groups, and GSSAPI just beats NIS over the head
with a stick in terms of security, and once you've got a good LDAP
infrastructure you start to discover just how many tools offer some form of
LDAP integration.  Extending the schema to suit internal uses is also easy,
and querying it from within your own apps/scripts is far from difficult.

jh



More information about the CentOS mailing list