LDAP vs. NIS+

Tue Nov 15 14:26:16 UTC 2005

On 11/15/05, akonstam at trinity.edu <akonstam at trinity.edu> wrote:
> On Mon, Nov 14, 2005 at 10:03:09PM -0800, Justin Zygmont wrote:
> > On Mon, 14 Nov 2005, Aly Dharshi wrote:
> >
> > >LDAP is hands down the way to go, even Sun says that NIS+ maybe deprecated
> > >in future releases, its a freaking pain in the ass. NIS+ is no being
> > >actively developed for Linux, NIS+ is a good exercise in self-inflicted
> > >pain (which I will have to go thru' starting 2morrow).
> > >
> > >Ashley M. Kirchner wrote:
> > >>
> > >>   Once again I turn to the smart folks on this list.  I'm looking for a
> > >>way to centralize our user management.  At the moment I have user logins
> > >>that are scattered across several machines.  Ideally I want to have one
> > >>central "accounts" machine, where all the user LOGIN data is kept and
> > >>maintained.  Then I would have a shell server, where their actual files
> > >>are kept.  Users then connect to this shell server only (which then
> > >>authenticates the user against the "accounts" machine before letting them
> > >>on.)  I will also have a web server and mail spool server which will have
> > >>NFS shares, and all of these will have to have some record of the user
> > >>information (UID/GID at the very least) for things to work properly.
> > >>That data should be coming from the central "accounts" machine I would
> > >>think.
> > >>
> > >>   I heard that NIS+ can do what I want to do.  At the same time, I also
> > >>heard LDAP may be what I want.  So which is which?  What should I
> > >>consider using?  Considering that neither is something I've played with
> > >>extensively (I've done some NIS+ stuff eons ago, but never LDAP) this
> > >>would be a first for me and having to figure things out from the ground
> > >>up.
> > >>
> > >>   What does the general public recommend?  And any pointers/suggestions
> > >>you might have are also welcome.
> >
> > I found NIS not all that bad, considering the work involved integrating
> > all your services to use LDAP, it may not be all that bad if your needs
> > are simple.
> >
> I am still waiting for someone to explain how to get a fedora system
> to authenticate using a Windows authentication server.
>
> Anyone know. Also LDAP is based on X500 long ago rejected as an ip
> addressing mode because it was too tedious to construct.

Where I used to work, we did it with WinBind, OpenLDAP, and kerberos.
Unfortunately I can't give you any details, except to say that it
worked the way we expected it to, after we tried about a thousand
times. That is, it was difficult. And the default config files that
resulted from checking boxes in the Fedora login setup did not work,
we had to edit them manually (this was FC3, maybe it's better now).

Ultimately we did exactly what happens in Xandros, the commercial
linux distro. It would be nice if they'd publish what they do, but
then I guess nobody would buy Xandros.