Promoting LDAP vs NIS on RHL
Lucas Albers
admin at cs.montana.edu
Wed Jul 23 06:16:17 UTC 2003
I've been working on replacing nis with openldap as my central
authentication method.
I've been working on implementing this for approximatelly 2 weeks.
I was not aware that NIS was signifigantly faster then ldap.
It is tricky implementing ldap, getting the server configured configured
correctly, and importing the data takes effort...
To reiterate setting up ldap is a pain in the ass. I go to work every day
thinking, this sucks, and I hope I can get it implemented.
I have been working on a ldap conversion of upwards of 30 hours, and
expect finish in 50-100 hours total.
Then I can test it for awhile, implement it, and then turn off NIS.
As near as I understand you can configure ldap to authenticate for each
connection. So a user can only get his password/username after he
authenticates.
Their are some trick configuration issues that if you overlook you render
your ldap authentication completelly open.
If users for example can change their UID then can become root.
If you have it set to autocreate directories when accounts are created and
you don't limit user logins to particular machines, they might be able to
login to servers they shouldn't be on.
Discussions on other mailing lists seem to indicate people are using ldap
with millions of entries.
Index it correctly, and have enough ram and you should have plenty of
performance.
The disaster recover seems straightforward, just slapcat the database and
back up the resulting text file.
I will be playing with disaster recover...so when my server dies in the
distant future I will know what to do.
I look forward to a number of items in ldap:
Better security, users can't grab the whole password list as they
currently can from NIS.
SASL Encryption.
Address Books for users and my MTA.
redundancy, setup a backup caching server.
--Luke
> could you make openldap not be incredibly slow under high load and/or
> large number of entries?
>
> The problem I see with ldap-authentication backends are:
> 1. w/o kerberos or some other strong authenticator you'll still need an
> authentication system for your authentication system
> 2. the available ldap server for linux appears to not scale that well
> right now.
> 3. the layout of user information is not terribly obvious
> 4. the disaster recovery mechanism (what do you back up to make sure you
> can recover) isn't as well documented or as trivial to understand as
> NIS'
>
> my 2c
> -sv
>
>
>
>
> --
> Rhl-beta-list mailing list
> Rhl-beta-list at redhat.com
> http://www.redhat.com/mailman/listinfo/rhl-beta-list
>
More information about the fedora-test-list
mailing list