> >I also suggest you use ANYTHING but NIS. NIS+ and LDAP are infinitely > >better when it comes to the security aspects of name service. > > From a security perspective, I'll grant you that NIS is horrible, but > from a management perspective, NIS+ and LDAP appear to a lot worse. > That, and AFAIK, there is no NIS+ implementation for Linux. > Besides, why would you *want* to use something which the developers > themselves (Sun) have all but abandoned and don't use?
For Linux NIS+, see: http://www.ibiblio.org/mdw/HOWTO/NIS-HOWTO/x332.html#AEN334 For NIS fans, NIS+ is an easy next step, from which you gain a great deal of security. Since host authenticity is based on knowledge of a DES (or 3DES) key, and not an IP address, spoofing is much more difficult (if not impossible). I'd only feel comfortable using NIS if it were used in conjunction with Kerberos. Keep the passwords in Kerberos, and the rest in NIS. True, Sun (and Microsoft, it seems, with ADS) is moving to LDAP. It provides ultimate flexibility, and provide name service for many different types of applications. For example, I've used the same LDAP database for distributing /etc/passwd (posixAccount schema) information, mail forwarding (aliases with Sendmail-LDAP), and general directory information (such as office, phone number, etc). > As far as LDAP? I keep hearing that it's the next best thing, but > there don't seem to many tools for using it in a large scale > enterprise environment. There are some out there, but it seems that > they're slow in coming. And man is that record format overly verbose > and tedious to deal with! Well, the concepts a bit harder to understand than that of NIS/NIS+. As for the record format, just include the relavent schemas. I admit, it's overkill for a small organization, but can provide the needed structure for larger organizations. > Nah, even for all it's insecurities, I like NIS. It easy to deal > with and simple to manage. And if you really need the security, then > just use something like rdist or rsync to push around the > passwd/shadow maps. If you're in an all Linux/Unix environment, it's > trivial to create a sysVinit script that pulls down the most recent > files at boot time. Hmm... /etc/passwd and /etc/shadow floating around the network. That makes me a little nervious. In my opinion, for the most flexibility and compatability, a combination of Kerberos 5 and LDAP works best. In fact, Microsoft's ADS provides both those interfaces, one could have a single account for all users, that supports both Windows and UNIX environments. -- t. charles clancy <> [EMAIL PROTECTED] <> www.uiuc.edu/~tclancy coordinated science laboratory <> university of illinois cryptography and information protection
