NIS overview • Centralized user/password pool • Before LDAP. NIS: ypcat passwd reveals shadow password to “John the dictionary cracker”. • NIS OK in a trusted system(IAA). Master / slaves working fine. • NIS is easy to manage and maintain. Very robust commands for years. Graphics tool(system-config-users) ready.
Why ldap after all the good’o years • Openldap(lightweight directory access protocol) ready on Linux/Solaris. subset of complex X. 500 protocol. • Sun ONE , Microsoft AD. Novell E-directory. Linux openldap. • Centralized database of information. Database backends to choose from. User right authorization. ACL for password. Management GUI (ldap adminstrator($$$), phpldapadmin, ldapbrowser(tiara/hilo))fine. • Must use crypt as password hash function. /etc/* migration tools ready. slapd/slurpd (master /slave) structure as NIS. • Solaris native ldap client support buggy. recompile openldap client on Sun.
Applications support for ldap • PKI : an introduction. Self-signed CA. • Openldap plus openradius for wireless Lan and VPN authentication. Single sign-on power. • Email(revolution, etc) address book lookup and authentication. Web user sign-on. Printer name/ip. Automount. • Ldaps: TLS/SSL provides strong security(client can also use certificate to claim itself). Default is cleartext!
Windows/Mac users • Do we really need it? Active Direcotry seems better suited for M$. Ldap for Mac OK. • Add-on applications P-gina to talk to ldap server • Samba as public domain controller. Popular among “poor” MIS unit. account transition tools to openldap account ready. needs to create all new accounts.
Plan • Coexist with NIS servers for current uids for transition period. • Ldap is I/O bound, not cpu intensive. Araid 2600 for OS/data. Plus a slave. • AD for MS Windows. Environment mature. • Openldap HA(highly available)? • Ldap very complicated. Learn by doing.
Скачать презентацию NIS overview Centralized user password pool Before
3480fd0cf9ae2c9d1278924df5f0cb97.ppt