[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [seul-edu] Alternatives to NIS



On Sun, Oct 22, 2000 at 11:10:47PM -0700, Harry McGregor wrote:
> On Sun, 22 Oct 2000, Dave Prentice wrote:
> 
> > Anybody,
> >     A while back I seem to remember someone saying NIS is "evil." Since
> > my classroom network is now stable enough to begin to expand from the
> > present 7 machines, I want to centralize access and passwords. What
> > alternatives are there to NIS, or should I just go with it?  Thanks,
> > Dave Prentice prentice@instruction.com
> 
> NIS, while it can be a pain, seem to be easier for a beginer (Nick, if you
> seen this, please respond as well).  Right now we are using NIS for a lab
> of 32 computers, 3-4 server, and 700-800 users, without many hastles.
> Most of the original problems stem from LibC5/GlibC2 issues (ie trying to
> mix slack 4 with redhat 6.x and the likes), now all modern distros are
> glibc2 or glibc2.1 based, and less problems come up.  Keep in mind with
> NIS passwords are not shadowed, thus you do have the hash (slightly easier
> to break the password having the hash).  At another school, we are using
> LDAP based authentification, which while it works, is a lot more twitchy.
  Linux-NIS can also provide shadow support, though it's probably disabled
by default for security reasons.
  A note on LDAP. I wouldn't suggest v2 for a hostile environment.  Well, v2
without Kerberous support, as it sends all authentication inof(passwords)
over the net in clear text, where NIS does the authentication locally. 
Using v3 and/or a good(non-cleartext) SASL auth module should aliviate that
problem.  I've yet to migrate that setup however.
  Also, if you just concerned with login info NIS will be fine.  The extra
setup trouble of LDAP own't be worth it unless you intend to store more
than login into in your tree.  Remember, LDAP isn't an authentication
scheme, it's a general tree structure for holding information.

  Of course, if you really wanted to get creative you could to a Kerberos
setup and play with the "login once" features. :)

  - Nick Lopez
    kimo_sabe@atdot.org
--
Personally, I'd like to see more porn on the Internet
                           -- President_Clinton in CNN chat