On Mon, Sep 08, 2003 at 11:59:04PM +0200, Antoine Jacoutot wrote:I'm building a new network for my company.
I need centralized authentication and looked after LDAP to achieve this.
It's a good thing you're designing this /now/ rather than trying to graft it on later. It's not as simple as it seems.
Unfortunately, there are 2 points that make me wonder the good use of it: 1. nss_ldap and pam-ldap need FreeBSD-5.1 and are not for production use 2. I really don't feel confident with LDAP
For many networks LDAP can be overkill.
So, I was thinking about using NIS instead, with which I feel much more confident. I understand it is really not secure, so I was looking about more information on this: why is is unsecure, does it send password in clear text?
No, but it sends them in an easily broken format. It's exactly the same situation as a DES /etc/passwd file in the days before master.passwd/shadow passwd files. This can be fixed by combining NIS with Kerberos.
Another large problem is that clients used to "broadcast" for NIS servers and trust the first server to answer. this can be fixed by telling the clients to contact only specific servers for NIS information.
? Does anyone know a solution for securing NIS, using ssh or encrypted tunnels or anything... I am open to any new idea :)
IPsec can fix the network sniffing problem, though Kerberos can do that as well and comes with many other advantages.
I'm a bit biased, however: I use NIS with Kerberos and think it's the cats pajamas :-)
This sounds exactly like what we are looking for. Can you point us to any docs explaining how you do this??
Thanks - Bruce
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"