Nicolas Kovacs
2018-Mar-26 09:59 UTC
[CentOS] How insecure is NIS ? Possible alternatives ?
Le 26/03/2018 ? 10:28, isdtor a ?crit :> In my opionion, there is a serious gap in this area. It's either NIS, > simple, easy to setup yet insecure, or LDAP/FreeIPA/RH Id management > server at a complexity at least one order of magnitude beyond NIS.I gave FreeIPA a spin a while back. I installed it on a sandbox server, and from what I recall, it pulled in a tsunami of dependencies, and first thing it wanted to replace my Dnsmasq with BIND... so I didn't look much further. -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32
> Am 26.03.2018 um 11:59 schrieb Nicolas Kovacs <info at microlinux.fr>: > > Le 26/03/2018 ? 10:28, isdtor a ?crit : >> In my opionion, there is a serious gap in this area. It's either NIS, >> simple, easy to setup yet insecure, or LDAP/FreeIPA/RH Id management >> server at a complexity at least one order of magnitude beyond NIS. > > I gave FreeIPA a spin a while back. I installed it on a sandbox server, > and from what I recall, it pulled in a tsunami of dependencies, and > first thing it wanted to replace my Dnsmasq with BIND... so I didn't > look much further.Quite time ago we had a stripped setup here working only with Openldap and PAM modules. LDAP with replication for redundancy, centralized communication with local CA and over TLS. It worked very well. The successor of such setup is SSSD for EL7 but the above should be still a feasible solution. -- LF
Leroy Tennison
2018-Mar-26 13:13 UTC
[CentOS] How insecure is NIS ? Possible alternatives ?
I also looked into FreeIPA and the complexity is significant, at the time FreeIPA's DNS integration seemed to rely on a Fedora patch and I wasn't willing to introduce that into a production environment. Does anyone know if this has changed? Also, concerning alternatives, does anyone have experience with Shibboleth or OmniAuth? -----Original Message----- From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Leon Fauster Sent: Monday, March 26, 2018 6:41 AM To: CentOS mailing list <centos at centos.org> Subject: [EXTERNAL] Re: [CentOS] How insecure is NIS ? Possible alternatives ?> Am 26.03.2018 um 11:59 schrieb Nicolas Kovacs <info at microlinux.fr>: > > Le 26/03/2018 ? 10:28, isdtor a ?crit : >> In my opionion, there is a serious gap in this area. It's either NIS, >> simple, easy to setup yet insecure, or LDAP/FreeIPA/RH Id management >> server at a complexity at least one order of magnitude beyond NIS. > > I gave FreeIPA a spin a while back. I installed it on a sandbox > server, and from what I recall, it pulled in a tsunami of > dependencies, and first thing it wanted to replace my Dnsmasq with > BIND... so I didn't look much further.Quite time ago we had a stripped setup here working only with Openldap and PAM modules. LDAP with replication for redundancy, centralized communication with local CA and over TLS. It worked very well. The successor of such setup is SSSD for EL7 but the above should be still a feasible solution. -- LF _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos
Gordon Messmer
2018-Mar-26 14:14 UTC
[CentOS] How insecure is NIS ? Possible alternatives ?
On 03/26/2018 02:59 AM, Nicolas Kovacs wrote:> I gave FreeIPA a spin a while back. I installed it on a sandbox server, > and from what I recall, it pulled in a tsunami of dependencies, and > first thing it wanted to replace my Dnsmasq with BIND... so I didn't > look much further.FreeIPA should be installed on its own server or VM, in which case its dependencies and what it replaces shouldn't be a cause for concern.? You can still run dnsmasq on a different host.? Use FreeIPA's DNS for the internal, private domain only. FreeIPA takes all of one command to install, and one to set up. It provides a web UI for both administrative and end-user management of users, passwords, login and sudo policy, etc. Anything you find overly complex can simply be unused.
On 26/03/2018 15:14, Gordon Messmer wrote:> FreeIPA takes all of one command to install, and one to set up. It > provides a web UI for both administrative and end-user management of > users, passwords, login and sudo policy, etc. Anything you find overly > complex can simply be unused.FreeIPA is easy to set up, but it is quite a complex beast under the hood. I've had some nasty debugging sessions with it before when things like Kerberos trust relationships failed.
On 2018-03-26, Leon Fauster <leonfauster at googlemail.com> wrote:> > Quite time ago we had a stripped setup here working only with Openldap and > PAM modules. LDAP with replication for redundancy, centralized communication > with local CA and over TLS. It worked very well. The successor of such setup > is SSSD for EL7 but the above should be still a feasible solution.Likely an even longer time ago, I did an even more stripped down version of this, where I just set up an OpenLDAP server, used their tools to import from our existing NIS to it, and ran it unencrypted (all the hosts were either on the same switch or over VPN so having no encryption on the network channel was less of a concern). It was fairly straightforward, and I imagine that nowadays, setting up TLS for slapd and clients is probably fairly straightforward too. I wonder how much support there is for NIS any more in recent distros. Is it possible CentOS 7 doesn't support NIS, or does but is buggy? --keith -- kkeller at wombat.san-francisco.ca.us