| gabriel rosenkoetter on Sat, 9 Nov 2002 03:40:05 -0500 |
|
On Fri, Nov 08, 2002 at 11:40:16PM -0500, W. Chris Shank wrote: > I assume LDAP, Why do you assume that? LDAP can do this, but it can do a lot more too (more, plasuibly, than you need it to do). And it's either very expensive or free, but very difficult to configure. (Go 'head. Read the OpenLDAP docs. Have fun!) > but what about NIS or NIS+? How are these > implimented in Linux. By starting ypbind. It's almost definitely already installed. There is no NIS+ server for Linux, and there hasn't been any indication there ever will be one. But regular old NIS (YP, as it was originally called) works just fine. You can make Linux be an NIS+ client without too much trouble with an NIS+ master on Solaris. Have a look around http://www.linux-nis.org/ for some documentation and help setting things up. > I'm curious how you are setting up linux networks > (or linux in networks) where you'd want the accounts to be managed > across several machines. Please share your experiences. I use (er, *will* use; I've got a server configured without clients now... turns out that it's not something that directly makes the company money, so it's not a priority) an NIS+ server on Solaris 9 with Linux and Solaris clients authenticating against it. Sort of. Because NIS+ will just go and ask Radius for authentication information. Which is also what the WINS servers will ask for authentication. And the Cisco boxes. And anything running Mac OS X's NetInfo client, should we ever have anything that does. Perhaps you see the point here. :^> There exists a free Radius implementation (if not several; I'm not so far as actually setting that up yet, even in isolation), though I may well end up paying for a commercial one. In the past, I've also used rsync over ssh (using a null-passphrased key for root that was only allowed to execute rsync in receive mode) to distributed the stuff you'd ordinarily keep in NIS or LDAP maps. I gave a WIP report about that at LISA two years ago in New Orleans, and there were some negative comments about security (justifiable paranoia, but I assure I can convince you that it's safe in the environment I had it set up; it certainly wouldn't be in *every* environment). I had plans to expand that and make it less of a kludge, but I haven't come back to it yet because I haven't needed it. You're welcome to the shell scripts and docs from that first attempt if you'd like them. I'm certainly not the first to do something like that, of course. I did all that under Solaris (E450 as a master, bunch of Ultra workstations as clients), but it's completely platform independent. Well, not *completely*, since you have to have passwd, shadow, so forth files that all the clients grok (note that BSD calls it "master.passwd" not "shadow"), but it's nothing a few regexps can't fix. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpi2jrHT5PDX.pgp
|
|