[TUHS] YP / NIS / NIS+ / LDAP
Mantas Mikulėnas
grawity at gmail.com
Mon Nov 5 17:24:24 AEST 2018
On Mon, Nov 5, 2018 at 9:19 AM Grant Taylor via TUHS
<tuhs at minnie.tuhs.org> wrote:
>
> On 11/04/2018 08:16 PM, Robert Brockway wrote:
> > I used NIS a lot in the 90s and early 2000s. I think it continues to be
> > underrated. The main gripe people had was lack of security but if all
> > of the hosts were in the same security domain anyway it wouldn't matter.
>
> I'd like to hear more about the security issues.
>
> Did NIS(+) ever encrypt it's communications? (I'm not counting things
> like IPsec transport.)
>
> I'm fairly certain that it was possible to enumerate the directory or
> otherwise scrape most (if not all) of it's contents.
There was `ypcat passwd`, wasn't there?
> > I did a lot of LDAP around 2007-2010. I got quite good at writing
> > filters as we were using for a lot more than juse user auth.
>
> Ya. The LDAP filters are why I tried to avoid just using LDAP against
> AD. That and the fact that the Unix passwords were actually a separate
> field that could have different values from what the Windows systems used.
I would say that expecting to just pull password hashes from the
directory service – using it as nothing more than networked
/etc/shadow – is a bad approach to begin with. Let the client handle
authentication via Kerberos (or via whatever else is apropriate for
AD).
> > Most installations I'm seeing today auth to AD, which is of course now
> > supported.
>
> I'm curious what "supported" actually means. I think there is
> preconfigured LDAP against AD templates, and things like Samba+Winbind.
> But all seem to be less native / seamless than NIS.
Could you elaborate on that?
> > In my experience LDAP is preferred in a pure *nix environment these
> > days. I've never played much with Kerberos.
>
> Does that mean that the authentication is also done across LDAP? I hope
> that it's encrypted LDAP.
Standard TLS.
--
Mantas Mikulėnas
More information about the TUHS
mailing list