--On Monday, September 08, 2003 4:10 PM -0600 Tillman Hodgson <[EMAIL PROTECTED]> wrote:

On Mon, Sep 08, 2003 at 11:59:04PM +0200, Antoine Jacoutot wrote:
I'm building a new network for my company.

Right on!


I need centralized authentication and looked after LDAP to achieve
this.


It's a good thing you're designing this /now/ rather than trying to graft it on later. It's not as simple as it seems.

Unfortunately, there are 2 points that make me wonder the good use of
it: 1. nss_ldap and pam-ldap need FreeBSD-5.1 and are not for
production use 2. I really don't feel confident with LDAP

For many networks LDAP can be overkill.


So, I was thinking about using NIS instead, with which I feel much
more  confident. I understand it is really not secure, so I was
looking about more  information on this: why is is unsecure, does it
send password in clear text?

No, but it sends them in an easily broken format. It's exactly the same situation as a DES /etc/passwd file in the days before master.passwd/shadow passwd files. This can be fixed by combining NIS with Kerberos.

Another large problem is that clients used to "broadcast" for NIS
servers and trust the first server to answer. this can be fixed by
telling the clients to contact only specific servers for NIS
information.

?
Does anyone know a solution for securing NIS, using ssh or encrypted
tunnels  or anything... I am open to any new idea :)

IPsec can fix the network sniffing problem, though Kerberos can do that as well and comes with many other advantages.

I'm a bit biased, however: I use NIS with Kerberos and think it's the
cats pajamas :-)


Hey Tilman,

This sounds exactly like what we are looking for. Can you point us to any docs explaining how you do this??

Thanks -
Bruce

_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to