Hello listmates, We are currently running NIS for authentication but would like to migrate to LDAP. Thing is, though, that some of the machines that authenticate via NIS are so old I'd rather not even touch them. Hence the question - is there a good way to have an NIS server for user authentication that is a mirror image of an LDAP server, with a proviso that an update introduced there is replicated in the LDAP server's databases? Thanks. Boris.
> Hence the question - is there a good way to have an NIS server for > user authentication that is a mirror image of an LDAP server, with a > proviso that an update introduced there is replicated in the LDAP > server's databases? >I don't know of any "syncing" mechanisms between an existing NIS environment and an existing LDAP environment, but if you are willing to migrate to something new that provides both, you might try FreeIPA. http://freeipa.org/page/NIS_Compatibility -- Jonathan
On Sat, Nov 5, 2011 at 4:23 AM, Jonathan Nilsson <jnilsson at uci.edu> wrote:> > You're welcome! ?I have used FreeIPA in the past with great success (though not specifically as an NIS data source). So if you do pursue FreeIPA, I highly recommend joining their separate mailing list freeipa-users at redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > They have a very active development community that will be able to help you get up and running. > To get you started, I recommend that you try installing it on a Fedora server, rather than CentOS (people have reported being able to build and install on CentOS 5, but yum install is easier on Fedora). > Good luck! > -- > jonathanJonathan, Did you get this for CentOS. I've got CentOS 5.6. Would you know if there is a repository for that that contains FreeIPA? Boris.
On Nov 4, 2011, at 2:48 PM, Boris Epstein <borepstein at gmail.com> wrote:> Hello listmates, > We are currently running NIS for authentication but would like to > migrate to LDAP. Thing is, though, that some of the machines that > authenticate via NIS are so old I'd rather not even touch them. > Hence the question - is there a good way to have an NIS server for > user authentication that is a mirror image of an LDAP server, with a > proviso that an update introduced there is replicated in the LDAP > server's databases?You could have the NIS maps setup by your capable LDAP clients. Use getent on those boxes and filter out the local accounts, set them up as NIS servers but make sure they don't reference both NIS and LDAP. In my environment I have my NIS servers use winbind to get AD accounts into NIS as winbind will map Windows UUIDs to UIDs and GIDs. Just customized the map building scripts to use getent and filtered out the local accounts. If I migrate over to OpenLDAP in the future I merely change this on the NIS servers. I could also merge both AD and OpenLDAP if UIDs and GIDs don't collide. All authentication is handled by Kerberos, so password management doesn't need to fit in, the only thing that might require extra config is the shell management stuff. I just standardize on bash across the board here. -Ross