There are three solutions that I've seen that fully integrate with AD (and more have been popping up since):
PADL - <http://www.padl.com> - Open source and commercial products, Centrify - <http://www.centrify.com> - Commercial product Quest (formerly Vintela) - <http://www.quest.com/identity-management/> - Commercial product All of these require some additions to the AD schema, but none of these additions are incompatible with normal AD operation. There are some characteristics of AD that can be leveraged to eliminate some of the NIS data - e.g., using AD groups to replace netgroups that are used for login control. If you have a large number of NIS clients and/or large NIS maps, pay attention to caching on the client end. LDAP is very slow at 'map walking' (e.g., logging in on a *nix host reads the entire group map to find out which groups you are in, doing an 'ls' in a directory with files owned by thousands of users will be very slow) compared to NIS. Without caching, large numbers of NIS clients will load the AD servers, large maps will slow down the clients. With caching, your AD servers will barely notice the added *nix clients. :-) It's also extremely easy to add more AD servers to serve the additional load, and they 'load up gracefully' - they will take on load up to a certain limit, and then continue to supply at that limit as more load is added, they don't 'crowbar' and collapse like some services. The most expensive (system-loading) function on AD is the Kerberos authentication, as it involves cryptographic calculations. Fortunately, you normally don't see a lot of simultaneous authentication happening as credentials tend to be cached on the clients for long periods of time. [Take a look at the archives - this has been discussed several times in the past, and there is good information in those discussions.] - Richard Michael D. Parker wrote: > The company that I am working for is embarking on replacing the current > locally developed NIS/YP structure with something LDAPish. > > We already have AD in house for the Windows stuff and would like to consider > using the AD system. The AD people are quite restrictive and would not > easily support extensive modifications. > > We have needs to have the replacement include the support the full > capabilities of the NIS/YP suite include netgroups, login restrictions to > specific servers for specific users or groups of users, consistent passwords > between the *nix and Windows environment,etc. Our environment is a mixture > of Linux (suse, RH, Debian), Sun, IBM, HP and MPRAS as well as a NETAPP. So > whatever we use must be totally inclusive to all environment. > > We have looked at Likewise, but our management wants other alternatives to > compare with. > > What other things should I be looking at and what is you assessment of the > alternative? > > Thanks for your assistance. > > _______________________________________________ > Tech mailing list > [email protected] > http://lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
