Hi all, We're getting to a point in our linux environment where it's starting to be cumbersome to keep shadow and passwd-files up-to-date for the users to login on each computer. Scripts can only get us so far. 8-/ I've looked a bit into central login systems for linux, and NIS and LDAP seem to be prevalent. NIS being the simpler-to-setup solution for small to medium networks as I understand it, while LDAP is the more modern and scalable solution. See eg http://www.yolinux.com/TUTORIALS/NIS.html or http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html. NIS-wise, what is a "small to medium network"? We have currently about 20-30'ish linux clients and servers, and the environment is not likely to increase much beyond this point. Is a 30ish-computer setup, a small network? The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Comments and insights are much appreciated! -- BW, Sorin ----------------------------------------------------------- # Sorin Srbu, Sysadmin # Uppsala University # Dept of Medicinal Chemistry # Div of Org Pharm Chem # Box 574 # SE-75123 Uppsala # Sweden# # Phone: +46 (0)18-4714482 # Visit: BMC, Husargatan 3, D5:512b # Web: http://www.orgfarm.uu.se ----------------------------------------------------------- # () ASCII ribbon campaign - Against html E-mail # /\ # # This message was not sent from an iProduct! # # MotD follows: # Artificial Intelligence: the art of making computers that behave like the ones in movies. -Bill Bulko
Hi Sorin we use here LDAP authentication and mail-control since more than 10 years. At that time, we did the conversion from passwd/shadow to LDAP using the tools on http://www.padl.com/download/ which are still available, probably in a newer version... To represent a person or a service in LDAP we use the objectclasses: objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: mailRecipient To represent a mail user for postfix we use the objectlcasses: objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: qmailUser To represent a Domain which we serve mail-wise we use the objectclasses: objectClass: qmailControl objectClass: top We also have developed an LDAP via Web Interface, which we use exclusively for LDAP administration. We have two LDAP servers, syncronized via syncrepl. suomi On 2014-01-28 10:02, Sorin Srbu wrote:> Hi all, > > We're getting to a point in our linux environment where it's starting to be > cumbersome to keep shadow and passwd-files up-to-date for the users to login > on each computer. Scripts can only get us so far. 8-/ > > I've looked a bit into central login systems for linux, and NIS and LDAP seem > to be prevalent. NIS being the simpler-to-setup solution for small to medium > networks as I understand it, while LDAP is the more modern and scalable > solution. > See eg http://www.yolinux.com/TUTORIALS/NIS.html or > http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html. > > NIS-wise, what is a "small to medium network"? > We have currently about 20-30'ish linux clients and servers, and the > environment is not likely to increase much beyond this point. > Is a 30ish-computer setup, a small network? > > The only thing I'm trying to accomplish is a system which will allow me to > keep user accounts and passwords in one place, with one place only to > administrate. NIS seems to be able to do that. > > Comments and insights are much appreciated! > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
2014-01-28 Sorin Srbu <Sorin.Srbu at orgfarm.uu.se>> Hi all, > > We're getting to a point in our linux environment where it's starting to be > cumbersome to keep shadow and passwd-files up-to-date for the users to > login > on each computer. Scripts can only get us so far. 8-/ > > I've looked a bit into central login systems for linux, and NIS and LDAP > seem > to be prevalent. NIS being the simpler-to-setup solution for small to > medium > networks as I understand it, while LDAP is the more modern and scalable > solution. > See eg http://www.yolinux.com/TUTORIALS/NIS.html or > > http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html > . > > NIS-wise, what is a "small to medium network"? > We have currently about 20-30'ish linux clients and servers, and the > environment is not likely to increase much beyond this point. > Is a 30ish-computer setup, a small network? > > The only thing I'm trying to accomplish is a system which will allow me to > keep user accounts and passwords in one place, with one place only to > administrate. NIS seems to be able to do that. > > Comments and insights are much appreciated! > > -- > BW, > Sorin > ----------------------------------------------------------- > # Sorin Srbu, Sysadmin > # Uppsala University > # Dept of Medicinal Chemistry > # Div of Org Pharm Chem > # Box 574 > # SE-75123 Uppsala > # Sweden# > # Phone: +46 (0)18-4714482 > # Visit: BMC, Husargatan 3, D5:512b > # Web: http://www.orgfarm.uu.se > ----------------------------------------------------------- > # () ASCII ribbon campaign - Against html E-mail > # /\ > # > # This message was not sent from an iProduct! > # > # MotD follows: > # Artificial Intelligence: the art of making computers that behave like the > ones in movies. -Bill Bulko > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >Use IPA. It combines LDAP with Kerberos, a server-client environment is easily setup and the documentation (RHEL deployment) is very helpful.
On 01/28/2014 04:02 AM, Sorin Srbu wrote:> Hi all, > > We're getting to a point in our linux environment where it's starting to be > cumbersome to keep shadow and passwd-files up-to-date for the users to login > on each computer. Scripts can only get us so far. 8-/ > > I've looked a bit into central login systems for linux, and NIS and LDAP seem > to be prevalent. NIS being the simpler-to-setup solution for small to medium > networks as I understand it, while LDAP is the more modern and scalable > solution. > See eg http://www.yolinux.com/TUTORIALS/NIS.html or > http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html. > > NIS-wise, what is a "small to medium network"? > We have currently about 20-30'ish linux clients and servers, and the > environment is not likely to increase much beyond this point. > Is a 30ish-computer setup, a small network? > > The only thing I'm trying to accomplish is a system which will allow me to > keep user accounts and passwords in one place, with one place only to > administrate. NIS seems to be able to do that. > > Comments and insights are much appreciated! > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosI used NIS for many years while working on Sun Solaris and it worked extremely well, although when it breaks it can be a real challenge to figure out the problems. I don't know how well it's implemented in Linux, bound to be a bit different than Solaris. In either case if it's important be aware of the potential security issues related to NIS, mainly the clear text passing of the password which is what pretty much doomed it. Depending on how ansi your users get I would recommend a slave server as well, you might also consider using autofs to mount the user's homes. The biggest potential problem that you might run into when you first implement NIS is to take a look at the uid of all the users on each host, you will need to ensure that they are the same before you start NIS or else it will be a mess for the users because they won't own their own files. With all of that said I do think though that LDAP would be a better solution although I've not used LDAP. Good luck with it either way. Pete -- Unencumbered by the thought process. -- Click and Clack the Tappet brothers
We have been using NIS for over a decade on our network, and it has been an effective solution. The network spans several subnets, and we have been able to deploy slave NIS servers on the various subnets. The reason for this is several fold: Quicker response for login and other domain requests Network policy requires slave servers to be on subnets to reduce network traffic. While the security is not as strong as it is for the LDAP solution, as long as you are employing NIS on an internal network, you should be all set. -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Sorin Srbu Sent: Tuesday, January 28, 2014 4:03 AM To: CentOS mailing list Subject: [CentOS] NIS or not? Hi all, We're getting to a point in our linux environment where it's starting to be cumbersome to keep shadow and passwd-files up-to-date for the users to login on each computer. Scripts can only get us so far. 8-/ I've looked a bit into central login systems for linux, and NIS and LDAP seem to be prevalent. NIS being the simpler-to-setup solution for small to medium networks as I understand it, while LDAP is the more modern and scalable solution. See eg http://www.yolinux.com/TUTORIALS/NIS.html or http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html. NIS-wise, what is a "small to medium network"? We have currently about 20-30'ish linux clients and servers, and the environment is not likely to increase much beyond this point. Is a 30ish-computer setup, a small network? The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Comments and insights are much appreciated! -- BW, Sorin ----------------------------------------------------------- # Sorin Srbu, Sysadmin # Uppsala University # Dept of Medicinal Chemistry # Div of Org Pharm Chem # Box 574 # SE-75123 Uppsala # Sweden# # Phone: +46 (0)18-4714482 # Visit: BMC, Husargatan 3, D5:512b # Web: http://www.orgfarm.uu.se ----------------------------------------------------------- # () ASCII ribbon campaign - Against html E-mail # /\ # # This message was not sent from an iProduct! # # MotD follows: # Artificial Intelligence: the art of making computers that behave like the ones in movies. -Bill Bulko The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail.
On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu <Sorin.Srbu at orgfarm.uu.se> wrote:> The only thing I'm trying to accomplish is a system which will allow me to > keep user accounts and passwords in one place, with one place only to > administrate. NIS seems to be able to do that. > > Comments and insights are much appreciated!A related question: is NIS or LDAP (or something else entirely) better if the machines are not uniform in their login configuration? That is, we have an ever-growing list of special cases. UserA can login to servers 1, 2 and 3. UserB can log in to servers 3, 4, and 5. Nobody except UserC can login to server 6. UserD can login to machines 2--6. And so on and so forth. I currently have a custom script with a substantial configuration file for checking that the actual machines are configured as per our intent. It would be nice if there was a single tool where the configuration and management/auditing could be rolled into one. Thanks! Matt