# alternative to NIS

## roaming

 :Question:   I have my network setup with NIS I wonder whether NIS is safe enough.. 

I don't want any strong security but I don't want my network to get compromised by any wannabe hackers. 

is there a good (lightweight) alternative to NIS?

----------

## kyron

I don't have NIS implemented yet and want to find a similarly light way to centralize my user management.... apparantly "the" way to go is LDAP.....but that seems very heavy and requires much reading for the un-initiated as I...

----------

## lorenb

I use LDAP (openldap) on my home network, I've been happy with it.   

Chec k out these links for some information on using openldap under Linux:

Using OpenLDAP http://www.metaconsultancy.com/whitepapers/ldap.htm

LDAP Authentication for Linux http://www.metaconsultancy.com/whitepapers/ldap-linux.htm

----------

## guero61

Pardon my [potential] complete ignorance, but what about Kerberos?

----------

## roaming

I was considering kerberos since it allows me to keep my NIS configuration but it is not compatible with PAM (pluggable athentication modules) and I don't really know how much that will affect my systems:

http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/s1-kerberos-whynot.html

I have quick question though for those who suggested LDAP. Do I need to have my own dns to resolve the "dc=mydomain, dc=com" 

Thanks  :Confused: 

----------

## handsomepete

Whatever you do, don't mindlessly copy the nsswitch.ldap to nsswitch.conf (when you get to that step).  It has dns lookups over ldap by default which ends up in endless recursion on boot if you don't have it setup - it won't fail gracefully.  I'm still working on getting openldap auth working, but it seems the tldp.org  doc is pretty thorough.

----------

## kyron

I came across these 3 VERY useful documents (though I still am trying to figure out how to configure my LDAP server correctly....very frustrating). Though these documents were meant for another distribution, the whole is very easy to adapt to the gentoo system  :Razz: 

To install LDAP

To make your SSL keys (needed in the previous link)

To set up LDAP authentication under Linux

To migrate your existing user base to LDAP

I need a LDAP for dummies book...really thinking of getting one right now...[/url]

----------

## axxackall

What tools do you use to manage users in LDAP?

Is OpenLDAp completely "transparent" to keep system users? For example, which application will notice the difference when you migrate from /etc files to LDAP?

How slow LDAP on a big user base?

----------

## axxackall

one more question: is it stable to use OpenLDAP to authenticate system users, while OpenLDAP itself keeps them in external backend DB (for example PostgreSQL)? Has anyone tried such combination? Is it really fast as promised?

----------

## kyron

The links I posted before your posts pretty mych answer the questions you are asking here... They don't get into the DB integration though...

----------

## roaming

pardon my stupid question..

do I need to run the client on the server in order to run ldapsearch on the server.

 :Laughing: 

Now I am answering my own question...

ldap-client is needed to run ldapsearch on server... and to run the migration script online.

----------

## Genone

Also using LDAP at my home network I found the following tools really helpful:

1. directory_administrator, it's not in portage at the moment but there are ebuilds in bugzilla (bug 12987), a nice app to manage users and groups on a LDAP server.

2. gq (in portage), good general purpose browser for LDAP directories

As for system users, there should be no problems as long as the uid's stay the same and the programs in question use the normal glibc functions. Programs that scan /etc/passwd directly will of course have some problems.

A note on the openldap installation, it seems that openldap does no logging by default, at least I noticed that when troubleshooting there were no log messages from slapd, not even for starting/stopping the server. To resolve this I had to re-emerge openldap with 

```
DEBUG=1 emerge openldap
```

----------

## gazurtoids

One of my machines is a laptop, it connects to the network at home via wifi. As such, while I'd like to centralise user management on the server, the laptop would need a fallback to use when it's outside the network. The ideal solution is have the laptop sync it's user accounts with the central server maintaining a local cache so it can be used when the network is unavailable. I would then want any changes made while outside the network, like a password change, to be filtered back to the server (synced) when the laptop next connected. Can I do this with LDAP? Or any other system for that matter?

Thanks guys.

----------

## acidreign

 *gazurtoids wrote:*   

> One of my machines is a laptop, it connects to the network at home via wifi. As such, while I'd like to centralise user management on the server, the laptop would need a fallback to use when it's outside the network. The ideal solution is have the laptop sync it's user accounts with the central server maintaining a local cache so it can be used when the network is unavailable. I would then want any changes made while outside the network, like a password change, to be filtered back to the server (synced) when the laptop next connected. Can I do this with LDAP? Or any other system for that matter?
> 
> Thanks guys.

 

> Fallback

 yes, it can fallback to local authentication.

> a local cache

You could make the laptop machine an ldap slave (slurpd) server also, and replicate changes from these servers, maintaining state from the ldap server,  This same approach can be taken with NIS also.

> Can I do this with LDAP, Or any other system for that matter?

I dont know if there is a way to do the change password offline, other than using some sought of cachefs,and to be honest i can see more bugs in this than what its worth.

----------

