Call me crazy, but I do all of what you've described below as follows: NIS Master in US. NIS Slaves scattered about the world. (No LDAP.) (No AD, although it might be a possibility)
WAN goes down, nobody cares. (Well, all the systems stay up and usable.) No separation of which-password-where. Create a user here, it appears everywhere. The only problem I've ever had was - One time, one nis slave got out of sync with the server. So I had to re- ypinit the slave, and that was the end of that. This is for a multinational company, but only for about 50 users within that company. Up for about 18 months now. > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf > Of John Stoffel > Sent: Friday, January 02, 2009 1:24 PM > To: Christophe Kalt > Cc: LOPSA Technical Discussions > Subject: Re: [lopsa-tech] AD integration with Unix > > > This has been a great discussion about Unix/AD integration, esp the > part where the unix and AD admins need to coordinate well. I've got a > related, but different issue. > > We have distributed engineering sites, and each site has it's own NIS > domain, so that if/when the WAN links go down, they can continue to > work. > > I spent a bunch of time cleaning up the various UIDs, usernames, GIDs, > groupnames, etc to bring them more closely in sync. But now I'd like > to really bind them all into one LDAP domain, possibly with NIS slaves > at each site. > > We support RHEL3, RHEL4, some RHEL5, Solaris 8, 9 & 10 (very little > any more) and some ancient RH7.3 boxes. Most boxes are compute > cluster boxes and they only allow login access via LSF (moving to > rtda.com's NC) to our users. > > I'd like to have it so that all usernames/passwords are synced between > sites, and that I can create new user accounts from one master and > have it goto all the others. Yes, I could do some hackery and copy > data from the master NIS domain to the sub-domains, but it just sucks > to manage. And when a user changes their password in a remote NIS > domain, I then need to push that change back to the master. Blech. > > So to me, it looks like LDAP, with multiple slaves and possibly even > NIS slaves binding to LDAP, is the way to go. Esp if I can be > tolerant of WAN failures. > > I just don't want to have to support LDAP on Solaris 8 if I can avoid > it, though I guess it could be ok. Esp if we can easily tweak and > restrict access in various ways. > > Should I look at the Padl.com stuff again? I looked at it a while > ago, but they wanted alot of money at the time. Maybe it's > changed... goes and looks. > > Hmm... looks like I can/should use either the nss_ldap, or the > pam_ldap modules. Anyone have comments on using these on Solaris 8-10 > systems? Any issues? > > Thanks, > John > > > _______________________________________________ > Tech mailing list > [email protected] > http://lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
