On 2015-10-15, Raimo Niskanen <raimo+open...@erix.ericsson.se> wrote: > On Wed, Oct 14, 2015 at 09:10:55PM -0600, Devin Reade wrote: >> --On Wednesday, October 14, 2015 08:51:06 AM -0600 Theo de Raadt >> <dera...@cvs.openbsd.org> wrote: >> >> >> Do you have any other tips on how to handle logins in a mixed OS YP >> >> network? >> > >> > These days, I would recommend using YP in fewer places. I wrote the >> > code, but even I don't use it. Each time I make changes that need testing >> > in a YP environment, my test group has shrunk again... >> >> I suspect that the best bet for general interop will be an LDAP-based >> infrastructure. You may need to verify that all OSes can use a
Even then, authentication is complex. You can either store a hash on the LDAP server and retrieve over ldap and authenticate locally, but then you're trusting client machines with the hash, otherwise you can authenticate by binding to the LDAP server (either via SASL -> fairly complex, or via simple authentication -> but still a bit complex as then you need TLS to avoid sending cleartext passwords around, and really you also want PKI/cert checking etc. to avoid handing off passwords to a bogus server...) I'm running into a need for this sort of thing myself, I'm currently leaning towards generating master.passwd files from an ldap database and pushing it out to workstations, using some method (quite possibly login_ldap) to give a central place to change passwords - but I'd be very interested in any comments people have about methods they've used and how well it worked. >> common subset of a valid schema, as well as probably needing a minimal >> PKI for SSL. If NFS is in the picture, watch for NFS version compatibility >> and username mapping ideosyncracies (search for idmapd). > > Thank you for the hints. NFS is indeed in the picture. If I'm not mistaken, idmapd isn't going to be much use for OpenBSD which doesn't do NFSv4.