| gabriel rosenkoetter on Sat, 9 Nov 2002 10:23:06 -0500 |
|
On Sat, Nov 09, 2002 at 03:47:02AM -0500, Bradley Molnar wrote: > D'oh, don't tell me that openldap is that hard to configure, a bunch of us > are about to try to use it to replace a very broken NIS domain. It's doable. But it vaguely resembles pulling your own teeth. And you'll have a hard time not being the one personally responsible for life once you've got it configured, because few other people are going to take the time to learn once you've got it set up. > The problem we ran into with the NIS was, when the server died suddenly, the > whole set-up would refuse to boot. Since someone lost the solaris disks...I > have had to replace solaris with another OS b/c we needed them to boot. Solaris software is free, just media costs. It's licensing for the machine in question that costs money and you have, presumably, already paid that. Call Sun. They'll want the hostid, which you can get from the OpenFirmware prompt. (Or was this Solaris x86? In which case neither they nor I have much interest in helping you. ;^>) > The only problem I can see with NIS is what we had happen -- since it (by > default I believe) mounts the user's home directory from the server on the > local machine, if something breaks on the server end, you have a bunch of > clients that have no users (some of the solaris boxes wouldn't fully boot -- > and the root password left with a professor who left last year). Some problems: 1. If you have only one NIS master, you're screwed. You're strongly advised to keep a backup. 2. Home directories and NIS are totally orthogonal issues. Use automountd and /etc/auto_home (or the Linux version, wherever it is) for that if you don't trust the NIS server. (It'd be much easier to maintain, though, if you trusted auto_home to NIS for the most part.) 3. You should never, ever, ever keep your root password in an NIS passwd map. Partly because of the problem you ran into, and partly because any luser on a client machine can ypcat /etc/passwd and get the encrypted passwords under NIS. And simply hiding ypcat won't help; it's a Perl one-liner to do the same thing. Just take root out of the map after you create it and maintain root locally on each machine. (Yes, that means changing the root password is still a hassle; just do a while loop around ssh'ing to all your hosts in your shell.) Make sure you've still got "files" at the end of your passwd line in /etc/nsswitch.conf (or understand what another option--say "compat"--does). > If someone knows how to do this easily (make user directories mount over the > network on logon), I would love to know how to set it up. I can spit out the steps easily for Solaris, but I don't recall them off the top of my head for Linux. See automount(8). > For what it's worth, I was talking with the Redhat guys when they were at > Ursinus, and, they are planning on using openldap for future versions to do > the logon stuff for big networks. They are going to be writing some of > their own software (graphical, of course) to make it nice and easy, as well > as migration tools. Great. I don't want GUI tools, I want a clear CLI. OpenLDAP hasn't got it. Neither, really, does NIS, but it's commands have been in use for a long time so more people know them so you won't be married to maintaining OpenLDAP. But it's your call... -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpzswlLoAKAT.pgp
|
|