Promoting LDAP vs NIS on RHL
Stephen Smoogen
smoogen at lanl.gov
Wed Jul 23 16:15:02 UTC 2003
We found that turning on nscd with openldap w/db4 had the speeds
equivalent to NIS. However our ldap tables may just be lucky enough to
be fast.
On Tue, 2003-07-22 at 23:15, seth vidal wrote:
> On Wed, 2003-07-23 at 00:58, Dax Kelson wrote:
> > An LDAP directory can have numerous advantages over NIS. For example:
> >
> > * Strong mutual authentication of client machines and LDAP servers
> > * All network traffic and be encrypted (by mandate even) via SSL or TLS.
> > * A rouge root on client machines cannot access user data, collect
> > encrypted password strings for user accounts
> > * Shadow password functionality including aging can be used
> >
> > I would like to encourage Linux sysadmins to "properly" and securely
> > setup LDAP directories as opposed to NIS.
> >
> > What can be done to encourage this?
> >
> > For starters, it would be nice to have a good generic LDAP directory
> > browser/editor that was SSL/TLS enabled. RHL7.3 shipped with a decent
> > one, GQ, but it was dropped.
> >
> > The slick looking "directoryadministrator" can be used to administer an
> > directory post-setup.
> >
> > Any have other ideas?
>
> could you make openldap not be incredibly slow under high load and/or
> large number of entries?
>
> The problem I see with ldap-authentication backends are:
> 1. w/o kerberos or some other strong authenticator you'll still need an
> authentication system for your authentication system
> 2. the available ldap server for linux appears to not scale that well
> right now.
> 3. the layout of user information is not terribly obvious
> 4. the disaster recovery mechanism (what do you back up to make sure you
> can recover) isn't as well documented or as trivial to understand as
> NIS'
>
> my 2c
> -sv
>
>
>
>
> --
> Rhl-beta-list mailing list
> Rhl-beta-list at redhat.com
> http://www.redhat.com/mailman/listinfo/rhl-beta-list
--
Stephen John Smoogen smoogen at lanl.gov
Los Alamos National Labrador CCN-5 Sched 5/40 PH: 4-0645 (note new #)
Ta-03 SM-1498 MailStop B255 DP 10S Los Alamos, NM 87545
-- So shines a good deed in a weary world. = Willy Wonka --
More information about the fedora-test-list
mailing list