[CentOS] Odd issue with C6 and NIS

Thu Oct 6 20:39:29 UTC 2011
Stephen Harris <lists at spuddy.org>

On Thu, Oct 06, 2011 at 09:14:35PM +0100, John Hodrien wrote:
> place, I think it's hard to list *any* honest advantages over LDAP.  Sorry, I
> don't consider performance to be a credible advantage, especially after
> nscd/sssd have had their way with caching results.

Then you've never seen Veritas Cluster Services fall over 'cos of the amount
of time it takes to do initgroup() stuff (VCS loves to su to oracle to verify
the DB is up; the su takes too long 'cos this is a complete scan of the group
map and nscd don't help, here; DB failover occurs).

You've never seen unexpected DoS attacks 'cos of "netstat -a" 'cos of all
the temporary ports 'cos nscd doesn't cache serv-by-port values when each
request is a new port number.

You've never seen...

Oh, never mind.

LDAP (being TCP connection oriented) is a world of hurt when it comes
to stability and performance in any large environment.  NIS, being UDP,
allows you to just "run".  (By large, I'm talking 30,000 client machines
on 5 continents).

That said:

> A good LDAP setup with nested groups, and GSSAPI just beats NIS over the head
> with a stick in terms of security, and once you've got a good LDAP

This is true.  NIS security is awful.  Which is why we use LDAP :-)