[CentOS] NIS or not?

Tue Jan 28 15:18:29 UTC 2014
m.roth at 5-cent.us <m.roth at 5-cent.us>

Laurent Wandrebeck wrote:
> Matt Garman <matthew.garman at gmail.com> a écrit :
>> On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu <Sorin.Srbu at orgfarm.uu.se>
>> wrote:
>>> The only thing I'm trying to accomplish is a system which will allow me
>>> to keep user accounts and passwords in one place, with one place only to
>>> administrate. NIS seems to be able to do that.
>>>
>>> Comments and insights are much appreciated!
>>
>> A related question: is NIS or LDAP (or something else entirely) better
>> if the machines are not uniform in their login configuration?

At this late date, I'd be really, *REALLY* leery of using NIS. You say
that *most* of your traffic is local, suggesting that some of it is *not*.
And, for that matter, how good are the firewalls keeping other traffic
out?

I'd say no to NIS. Yes, other answers may be more difficult to set up, but
consider the alternatives.
>>
>> That is, we have an ever-growing list of special cases.  UserA can
>> login to servers 1, 2 and 3.  UserB can log in to servers 3, 4, and 5.
>>  Nobody except UserC can login to server 6.  UserD can login to
>> machines 2--6.  And so on and so forth.

Here you may not realize you're distinguishing between authentication and
authorization.
>>
>> I currently have a custom script with a substantial configuration file
>> for checking that the actual machines are configured as per our
>> intent.  It would be nice if there was a single tool where the
>> configuration and management/auditing could be rolled into one.

We have an in-house written set of scripts that administer relevant
configuration files, including /etc/passwd. It copies the correct version
of that file (among many others) to each host, and shell of /bin/noLogin
works just fine.
>>
> You’d be fine with IPA which allows you to create such rules.

I'd vaguely heard of IPA, so I just looked it up. *chuckle* You do notice
that it has its own implementation of LDAP and uses kerboros, right? So
seems like several folks are recommending LDAP and kerboros.

I sincerely hope it's easier to set up and administer and upgrade than
native LDAP. In '06, after a discussion with the other admin and manager I
was working with at that job, I volunteered to set up openLDAP. Let's just
say that the tools were NOT vaguely ready for prime time, though I did
find that running webmin helped a *lot* to get it working.

But that was nearly 8 years ago....

       mark