[TUHS] YP / NIS / NIS+ / LDAP
Robert Brockway
robert at timetraveller.org
Tue Nov 6 13:03:47 AEST 2018
On Mon, 5 Nov 2018, Grant Taylor via TUHS wrote:
> I also loath the idea that Unix (Linux) doesn't have a stand alone central
> directory server solution. Or if LDAP + Kerveros is said solution, so be it.
> - That's sort of what I'm trying to figure out.
LDAP with or without Kerberos certainly counts as a standalone directory
server solution for *nix.
> Translation: What is the current Unix (Linux) method to provide central user
> directory / authentication for about a dozen Unix (Linux / Solaris / *BSD /
> AIX) systems /without/ a Windows Server in the mix. I don't own a license
> for any version of Windows Server that supports AD. Nor do I feel compelled
> to buy one.
I've seen plenty of businesses with Linux servers and OSX desktops. These
business often manage user auth on Linux with LDAP. Various solutions
were used to manage the OSX boxes but they were quite separate to Linux.
One caveat with LDAP. When I last did this a few years ago many Linux
systems were set up in such a manner that a failure of LDAP makes the
systems largely unusable. AFAIK this is still a problem.
A sysadmin logging in had to wait out a series of timeouts while trying to
open nsswitch.conf or the PAM config to disable LDAP so the underlying
problems could be addressed.
One fix for this that I mentioned earlier is to manage the Linux systems
using orchestration tools like Ansible. Have them generate local passwd,
shadow & group files from data stored in LDAP. This prevent the timeout
problems I mentioned earlier and also means that switching to a new
authentication backend (eg, OpenLDAP to AD) is a lot easier since it is
abstracted away.
Cheers,
Rob
More information about the TUHS
mailing list