Hi folks -- Does anyone out there have experienced replacing NIS, using puppet? If so, can you kindly share to me some advise, gotchas, and whatnot, etc... Thanks in advance for your help .... -Conrad -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
In my experience, replacements for NIS are things like LDAP and DNS While Puppet can help with the implementation, IMHO it cannot do the actual work of any of these services. Or did I misunderstand the question ? On May 19, 2012, at 7:51 PM, ConradL wrote:> Hi folks -- > > Does anyone out there have experienced replacing NIS, using puppet? > If so, can you kindly share to me some advise, gotchas, and whatnot, > etc... > > Thanks in advance for your help .... > > -Conrad-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Sat, May 19, 2012 at 9:47 PM, Dan White <ygor@comcast.net> wrote:> In my experience, replacements for NIS are things like LDAP and DNS > > While Puppet can help with the implementation, IMHO it cannot do the actual work of any of these services.I tend to agree with Dan on this one. I am a fan of LDAP for user/group management and DNS for name resolution. However to play devil''s advocate lets pick apart some of what NIS does for you and what Puppet could do to replace NIS.> Or did I misunderstand the question ?I also wonder if I understand the question correctly but I''m going to try to tackle it anyway. :)> On May 19, 2012, at 7:51 PM, ConradL wrote: >> Hi folks -- >> >> Does anyone out there have experienced replacing NIS, using puppet? >> If so, can you kindly share to me some advise, gotchas, and whatnot, >> etc...NIS can be used for a bunch of databases, ethers, netmasks, networks etc... I assume though that you are referring to passwd, shadow, group and hosts so lets consider those. User/Group Management (passwd, shaddow, group) - See the User and Group types. http://docs.puppetlabs.com/references/stable/type.html#user http://docs.puppetlabs.com/references/stable/type.html#group Pros (of using puppet): - No dependence on LDAP/NIS server - No firewall rules, no fiddling with LDAP+TLS or LDAPS - Perhaps more responsive (maybe not given other services like nslcd, sssd, nscd) - There are lots of tools for password synchronization between different directories Cons: - No central failed login tally. Sure you can deploy pam_tally to limit failed login attempts but any attempt to brute force a password would get [# of attempts] * [# of hosts an account is on]. - Delay to add/remove users is dependant on how often hosts retrieve their catalogs. For new users this is inconvenient, but for disabling users this can be a concern. - Sure puppet is auditable but if you use something like pam_groupdn with LDAP finding out who can login to your servers is a simple query with most directory servers "ldapsearch -x isMemberOf=cn=linuxaccess,dc=example,dc=com" - If you wanted to do password policying you''d have to check password strength/length before letting puppet deploy the hash. This is generally just a feature of a LDAP directory. Naming (hosts) - See the puppet Host type or File type if you just want to manage the whole file as one unit http://docs.puppetlabs.com/references/stable/type.html#host http://docs.puppetlabs.com/references/stable/type.html#file Pros (of using puppet): - Exported resources would be an easy win to get hosts into /etc/hosts, but if you used puppet to manage bind you could get the same effect - Like before no dependence on another server, no firewall rules etc - In theory more responsive than DNS, but DNS is pretty fast and using things like nscd or local caching resolver that''s moot Cons: - You''ll probably still need DNS anyway... Unless you have a completely isolated environment you''ll probably need DNS for something anyway. - Like before, naming updates are dependant on your puppet catalog compilations Those things said. I can reasons why one might use puppet to manage users/groups over LDAP and hosts over DNS. In an environment where: - users/groups don''t change frequently - there was no need for DNS for other things (mail, service location etc) - the hosts were built/destroyed frequently (think ec2 or other cloud provider) - network access to such services was problematic (think ec2 or other provider) it might in fact be make sense to use Puppet to manage some of what you would use NIS for. Hope that helps and I''d be glad to keep discussing. -Alan>> Thanks in advance for your help .... >> >> -Conrad > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On May 19, 6:51 pm, ConradL <cland7...@gmail.com> wrote:> Does anyone out there have experienced replacing NIS, using puppet? > If so, can you kindly share to me some advise, gotchas, and whatnot, > etc...Puppet cannot directly replace NIS, as it doesn''t operate in the same space. I suppose you''re thinking of using Puppet to manage local authentication and hosts databases (and maybe others) on your nodes instead of those nodes relying on central NIS databases. Some of the factors you should weigh include: 1) When you update a central database such as NIS, the update is immediately available to all nodes (though caching may affect how soon they recognize it). On the other hand, if you rely on updating local databases on all your nodes via Puppet then there will be some time when nodes'' local databases do not all agree. That time can be extended indefinitely if the Puppet agent is turned off on some of your nodes. If updates are frequent then you may not be able to rely on nodes ever being completely synchronized. 2) Lookups in local files are faster than RPC invocations across the network, and they leave more bandwidth available for other traffic. Local caching (e.g. via nscd) can convert most NIS lookups from RPC to local, however. 3) Network lookups are a problem for disconnected machines, such as (at times) laptops. 4) For users, you can combine NIS in compat mode with authorization management via Puppet. Puppet does not support it out of the box, but it''s a fairly straightforward project to use for learning about writing custom Puppet providers. 5) As others have observed, there are other alternatives to consider, such as LDAP for users and/or hosts and DNS for hosts. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi guys -- Thanks all for your feedback. Yes, I was actually thinking about user / group management aspect in NIS-to-puppet migration. It looks like LDAP is a more appropriate tool for this. Thanks again, and regards ..... -Conrad On Mon, May 21, 2012 at 6:05 AM, jcbollinger <John.Bollinger@stjude.org>wrote:> > > On May 19, 6:51 pm, ConradL <cland7...@gmail.com> wrote: > > Does anyone out there have experienced replacing NIS, using puppet? > > If so, can you kindly share to me some advise, gotchas, and whatnot, > > etc... > > Puppet cannot directly replace NIS, as it doesn''t operate in the same > space. I suppose you''re thinking of using Puppet to manage local > authentication and hosts databases (and maybe others) on your nodes > instead of those nodes relying on central NIS databases. Some of the > factors you should weigh include: > > 1) When you update a central database such as NIS, the update is > immediately available to all nodes (though caching may affect how soon > they recognize it). On the other hand, if you rely on updating local > databases on all your nodes via Puppet then there will be some time > when nodes'' local databases do not all agree. That time can be > extended indefinitely if the Puppet agent is turned off on some of > your nodes. If updates are frequent then you may not be able to rely > on nodes ever being completely synchronized. > > 2) Lookups in local files are faster than RPC invocations across the > network, and they leave more bandwidth available for other traffic. > Local caching (e.g. via nscd) can convert most NIS lookups from RPC to > local, however. > > 3) Network lookups are a problem for disconnected machines, such as > (at times) laptops. > > 4) For users, you can combine NIS in compat mode with authorization > management via Puppet. Puppet does not support it out of the box, but > it''s a fairly straightforward project to use for learning about > writing custom Puppet providers. > > 5) As others have observed, there are other alternatives to consider, > such as LDAP for users and/or hosts and DNS for hosts. > > > John > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Possibly Parallel Threads
- Puppet agent creates certificates for localhost.localdomain and does not pick up the changed hostname
- Perfomance tuning for NIS client
- Puppet client hangs if LDAP server is not accessible
- Need to restart ypserv to update the nis maps
- Useradd & NIS issue if the user exist