Hi. After reading about (and a little bit experimenting with) NIS, LDAP and Kerberos, I concluded that: - Using NIS is really easy - however, it's too insecure - Using LDAP is too complicated for my 3-4 servers network
Many criticize NIS as being insecure; I haven't seen such criticism about LDAP. However, as Nico Kadel-Garcia pointed out, "Kerberos (is the) Underlying authentication technology for most LDAP setups". So, if it's a common practice to setup LDAP and then fortify it with Kerberos; wouldn't it be easier to setup NIS and fortify it with Kerberos? Is this combination possible/feasible? Anyone can point to some reference about how to achieve that combination? Am I missing some drawbacks (except of using an aging technology, that doesn't co-operate with Windows)? Thanks, Zvika 2014-02-19 13:21 GMT+02:00 צביקה הרמתי <[email protected]>: > Hi. > Thank you all for the good advices. > Now I just have to decide how to proceed... > > > > 2014-02-18 1:59 GMT+02:00 Paul Robert Marino <[email protected]>: > >> TLS/SSL won't work correctly if you use the /etc/hosts file. That is the >> real constraint with LDAP and DNS. >> But its not that severe all you need to be able to do is forward and >> reverse lookup the host name and match it to the IP address. >> You do not really need the SRV records. As long as the name in the cert >> matches the DNS A record for the hostname(s) and the reverse lookup of the >> resulting IP also matches the hostname(s) in the cert you are good. >> >> One other option is you don't really need the passwords in the LDAP >> database you can put it in Kerberos then you don't have to worry about >> clear text passwords at all and there are no DNS requirements. >> >> It takes a out 15 minutes to set up a Kerberos server and only about an >> hour to setup 389 server (a.k.a Red Hat Directory server a.k.a. Netscape >> Directory Server) from scratch to use Kerberos Auth. >> Then on your client configs you specify the IP addresses instead of the >> host names. >> >> >> >> >> >> >> >> -- Sent from my HP Pre3 >> >> ------------------------------ >> On Feb 17, 2014 9:09, Tam Nguyen <[email protected]> wrote: >> >> If you wanted to avoid DNS, then you can *temporarily* achieve that on RH >> Identity Management by updating the /etc/hosts files on the server and >> client nodes. >> >> -Tam >> >> >> >> On Mon, Feb 17, 2014 at 6:57 AM, צביקה הרמתי <[email protected]>wrote: >> >>> Hi. >>> >>> I want to have several hosts, sharing the same Users Accounts database. >>> i.e, user "John" will be able to seamlessly login to host1 or to host2, >>> without having to manually config "John"'s credentials unto each machine. >>> Nothing more than that... >>> >>> LDAP seems like the solution, however, I tried to find an easy tutorial >>> and understood that maybe it's a little bit overkill for my humble >>> requirements. >>> >>> I've read about RH Identity Management ( >>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/index.html >>> ) >>> It seemed interesting; but its DNS requirements are a little bit too >>> complicated for scenerio (having the IDM server's public IP properly >>> configured DNS record). >>> >>> Am I missing something? >>> There must be simpler way... >>> >>> Thanks, >>> Zvika >>> >> >> >
