[CentOS] NIS or not?

Tue Jan 28 17:38:03 UTC 2014
Matt Garman <matthew.garman at gmail.com>

On Tue, Jan 28, 2014 at 9:18 AM,  <m.roth at 5-cent.us> wrote:
> At this late date, I'd be really, *REALLY* leery of using NIS. You say
> that *most* of your traffic is local, suggesting that some of it is *not*.
> And, for that matter, how good are the firewalls keeping other traffic
> out?
>
> I'd say no to NIS. Yes, other answers may be more difficult to set up, but
> consider the alternatives.
>>>
>>> That is, we have an ever-growing list of special cases.  UserA can
>>> login to servers 1, 2 and 3.  UserB can log in to servers 3, 4, and 5.
>>>  Nobody except UserC can login to server 6.  UserD can login to
>>> machines 2--6.  And so on and so forth.
>
> Here you may not realize you're distinguishing between authentication and
> authorization.

Yeah, I forgot to mention that we already have Kerberos in place for
authentication.  It's authorization that is currently done by hand and
checked with a manual script.  (I needed that for the secure mount
options NFSv4 provides.)

> I sincerely hope it's easier to set up and administer and upgrade than
> native LDAP. In '06, after a discussion with the other admin and manager I
> was working with at that job, I volunteered to set up openLDAP. Let's just
> say that the tools were NOT vaguely ready for prime time, though I did
> find that running webmin helped a *lot* to get it working.

I know you can find a horror story for any piece of software on the
Internet, but my impression is that LDAP has an unusually high number
of scary-sounding anecdotes.  I know random Internet blogs forum posts
aren't really authoritative, but they do give me a little trepidation
regarding LDAP.

> We have an in-house written set of scripts that administer relevant
> configuration files, including /etc/passwd. It copies the correct version
> of that file (among many others) to each host, and shell of /bin/noLogin
> works just fine.

Why set the shell to /bin/noLogin, rather than simply not create that
user's /etc/passwd entry?

I don't have /bin/noLogin on any of my systems - I assume you
deliberately specified a non-existent program for the shell?  What's
the difference between setting the user's shell to a bogus program
versus something like /bin/false?