I also looked into FreeIPA and the complexity is significant, at the time FreeIPA's DNS integration seemed to rely on a Fedora patch and I wasn't willing to introduce that into a production environment. Does anyone know if this has changed? Also, concerning alternatives, does anyone have experience with Shibboleth or OmniAuth? -----Original Message----- From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Leon Fauster Sent: Monday, March 26, 2018 6:41 AM To: CentOS mailing list <centos at centos.org> Subject: [EXTERNAL] Re: [CentOS] How insecure is NIS ? Possible alternatives ? > Am 26.03.2018 um 11:59 schrieb Nicolas Kovacs <info at microlinux.fr>: > > Le 26/03/2018 à 10:28, isdtor a écrit : >> In my opionion, there is a serious gap in this area. It's either NIS, >> simple, easy to setup yet insecure, or LDAP/FreeIPA/RH Id management >> server at a complexity at least one order of magnitude beyond NIS. > > I gave FreeIPA a spin a while back. I installed it on a sandbox > server, and from what I recall, it pulled in a tsunami of > dependencies, and first thing it wanted to replace my Dnsmasq with > BIND... so I didn't look much further. Quite time ago we had a stripped setup here working only with Openldap and PAM modules. LDAP with replication for redundancy, centralized communication with local CA and over TLS. It worked very well. The successor of such setup is SSSD for EL7 but the above should be still a feasible solution. -- LF _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos