On Wed, 16 Jul 2003, Kyle Gordon wrote: > hey all > > In a futile attempt to learn something worthwhile, I've decided to have a shot > at an alternative authentication system. > > Now, I know there's NIS and LDAP, but which one is best and in what scenarios > should they be used? Which is more complex to set up? And which will scale > well and stay secure?
I'd say LDAP, but I'm prone to saying that before someone has asked the question! LDAP is relatively easy to set up, not sure about NIS on Linux. Used NIS+ on Solaris, it took a while to get your head round it and the associated commands. And it often broke (database/map corruption) on the version of Solaris we ran (2.7 I think). You can get nsswitch libraries and pam modules for LDAP on most *NIX nowadays. Not sure if they all support LDAPS (with SSL/TLS), but if not you can probably use them with 'stunnel' or such. And if you want to try NIS I believe you can get LDAP <> NIS gateways that service NIS clients. If you want scaleability I know of LDAP directories with millions of entries. Not with OpenLDAP, although I'm sure it performs admiradbly. I'm pretty sure the client stuff will take more than one server IP for redundancy, or you could employ an IP load balancer. And setting up LDAP DB replication isn't very hard. One of the main benefits of LDAP is that other applications such as Apache can use it for authenticating users. Metadirectory tools exist to sync LDAP entries with RDBs, NT domains etc. And also you can store jpegs, X.509 certs, pgp keys etc (handy if you want to build corporate 'white pages' or a pgp keyserver). Andrew PS. Ensure nsswitch is configured to check 'files' for 'passwd' atleast. And that root and any other critical accounts have local entries so you can log-on if your LDAP service is down. PPS. Configure nscd to cache LDAP results so you don't hammer your DSA on directory listings etc. _______________________________________________ Scottish mailing list [EMAIL PROTECTED] http://mailman.lug.org.uk/mailman/listinfo/scottish
