Re: [CentOS] coordinated NIS and LDAP servers
On Nov 4, 2011, at 2:48 PM, Boris Epstein borepst...@gmail.com wrote: Hello listmates, We are currently running NIS for authentication but would like to migrate to LDAP. Thing is, though, that some of the machines that authenticate via NIS are so old I'd rather not even touch them. Hence the question - is there a good way to have an NIS server for user authentication that is a mirror image of an LDAP server, with a proviso that an update introduced there is replicated in the LDAP server's databases? You could have the NIS maps setup by your capable LDAP clients. Use getent on those boxes and filter out the local accounts, set them up as NIS servers but make sure they don't reference both NIS and LDAP. In my environment I have my NIS servers use winbind to get AD accounts into NIS as winbind will map Windows UUIDs to UIDs and GIDs. Just customized the map building scripts to use getent and filtered out the local accounts. If I migrate over to OpenLDAP in the future I merely change this on the NIS servers. I could also merge both AD and OpenLDAP if UIDs and GIDs don't collide. All authentication is handled by Kerberos, so password management doesn't need to fit in, the only thing that might require extra config is the shell management stuff. I just standardize on bash across the board here. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] coordinated NIS and LDAP servers
On 11/08/11 3:56 PM, Ray Van Dolson wrote: If you are set on using CentOS, I think you will need to use the RedHat IPA product instead. But the only success stories that I am familiar with are from the v1.x IPA product, which is old. http://www.howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5 I'm surprised FreeIPA isn't in EPEL. Maybe this is because it's a layered product offering by RHEL? ipa-server is in centos6 'CR' and will be in 6.1 its currently 2.0.0 which is a lot more comprehensive than 1.x was. I do note the IPA project is up to 2.1, maybe rpmforge or someone can start rolling these up for us all. I started reading about FreeIPA last night and am real interested in firing up a test instance in my lab at work, which is an unholy mess of linux (assorted versions), solaris, and a few windows servers. -- john r pierceN 37, W 122 santa cruz ca mid-left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] coordinated NIS and LDAP servers
On Sat, Nov 5, 2011 at 4:23 AM, Jonathan Nilsson jnils...@uci.edu wrote: You're welcome! I have used FreeIPA in the past with great success (though not specifically as an NIS data source). So if you do pursue FreeIPA, I highly recommend joining their separate mailing list freeipa-us...@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users They have a very active development community that will be able to help you get up and running. To get you started, I recommend that you try installing it on a Fedora server, rather than CentOS (people have reported being able to build and install on CentOS 5, but yum install is easier on Fedora). Good luck! -- jonathan Jonathan, Did you get this for CentOS. I've got CentOS 5.6. Would you know if there is a repository for that that contains FreeIPA? Boris. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] coordinated NIS and LDAP servers
I have not used FreeIPA on CentOS. As I said previously, I highly recommend using Fedora servers as your FreeIPA servers, because it will install much easier and you should be able to get support from the freeipa-users mailing list. If you are set on using CentOS, I think you will need to use the RedHat IPA product instead. But the only success stories that I am familiar with are from the v1.x IPA product, which is old. http://www.howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5 -- Jonathan On Tue, Nov 8, 2011 at 1:52 PM, Boris Epstein borepst...@gmail.com wrote: On Sat, Nov 5, 2011 at 4:23 AM, Jonathan Nilsson jnils...@uci.edu wrote: You're welcome! I have used FreeIPA in the past with great success (though not specifically as an NIS data source). So if you do pursue FreeIPA, I highly recommend joining their separate mailing list freeipa-us...@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users They have a very active development community that will be able to help you get up and running. To get you started, I recommend that you try installing it on a Fedora server, rather than CentOS (people have reported being able to build and install on CentOS 5, but yum install is easier on Fedora). Good luck! -- jonathan Jonathan, Did you get this for CentOS. I've got CentOS 5.6. Would you know if there is a repository for that that contains FreeIPA? Boris. -- Jonathan.Nilsson at uci dot edu Social Sciences Computing Services SSPB 1265 | 949.824.1536 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] coordinated NIS and LDAP servers
On Tue, Nov 08, 2011 at 03:50:07PM -0800, Jonathan Nilsson wrote: I have not used FreeIPA on CentOS. As I said previously, I highly recommend using Fedora servers as your FreeIPA servers, because it will install much easier and you should be able to get support from the freeipa-users mailing list. If you are set on using CentOS, I think you will need to use the RedHat IPA product instead. But the only success stories that I am familiar with are from the v1.x IPA product, which is old. http://www.howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5 I'm surprised FreeIPA isn't in EPEL. Maybe this is because it's a layered product offering by RHEL? It's painful to run Fedora as a production server unfortunately with its short lifecycle (at least in Enterprisey environments). Ray -- Jonathan On Tue, Nov 8, 2011 at 1:52 PM, Boris Epstein borepst...@gmail.com wrote: On Sat, Nov 5, 2011 at 4:23 AM, Jonathan Nilsson jnils...@uci.edu wrote: You're welcome! I have used FreeIPA in the past with great success (though not specifically as an NIS data source). So if you do pursue FreeIPA, I highly recommend joining their separate mailing list freeipa-us...@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users They have a very active development community that will be able to help you get up and running. To get you started, I recommend that you try installing it on a Fedora server, rather than CentOS (people have reported being able to build and install on CentOS 5, but yum install is easier on Fedora). Good luck! -- jonathan Jonathan, Did you get this for CentOS. I've got CentOS 5.6. Would you know if there is a repository for that that contains FreeIPA? Boris. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] coordinated NIS and LDAP servers
On Fri, Nov 04, 2011 at 09:11:01PM -0400, Boris Epstein wrote: On Fri, Nov 4, 2011 at 6:55 PM, Jonathan Nilsson jnils...@uci.edu wrote: Hence the question - is there a good way to have an NIS server for user authentication that is a mirror image of an LDAP server, with a proviso that an update introduced there is replicated in the LDAP server's databases? http://freeipa.org/page/NIS_Compatibility Thank you very much, this sounds like an excellent idea! If you don't mind paying, PADL may do what you want http://www.padl.com/Products/NISLDAPGateway.html Or fire up a Solaris 10 instance, which may also do what you want Both will take an LDAP server and republish as NIS. LDAP is authoratative and all changes must be made there (so you can't make your NIS map from NIS sources and expect the changes to propagate to LDAP). -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] coordinated NIS and LDAP servers
Hello listmates, We are currently running NIS for authentication but would like to migrate to LDAP. Thing is, though, that some of the machines that authenticate via NIS are so old I'd rather not even touch them. Hence the question - is there a good way to have an NIS server for user authentication that is a mirror image of an LDAP server, with a proviso that an update introduced there is replicated in the LDAP server's databases? Thanks. Boris. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] coordinated NIS and LDAP servers
Hence the question - is there a good way to have an NIS server for user authentication that is a mirror image of an LDAP server, with a proviso that an update introduced there is replicated in the LDAP server's databases? I don't know of any syncing mechanisms between an existing NIS environment and an existing LDAP environment, but if you are willing to migrate to something new that provides both, you might try FreeIPA. http://freeipa.org/page/NIS_Compatibility -- Jonathan ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] coordinated NIS and LDAP servers
On Fri, Nov 4, 2011 at 6:55 PM, Jonathan Nilsson jnils...@uci.edu wrote: Hence the question - is there a good way to have an NIS server for user authentication that is a mirror image of an LDAP server, with a proviso that an update introduced there is replicated in the LDAP server's databases? I don't know of any syncing mechanisms between an existing NIS environment and an existing LDAP environment, but if you are willing to migrate to something new that provides both, you might try FreeIPA. http://freeipa.org/page/NIS_Compatibility -- Jonathan Jonathan, Thank you very much, this sounds like an excellent idea! Boris. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos