[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] LDAP vs NIS

cwagnon redbugmail k12 ar us wrote:

Everyone talks about LDAP but I'm sure NIS has its place.

>From a security perspective, the place for NIS is in the dumpster. NIS is
based on Sun RPC and the portmapper service, which has had a lot of
vulnerabilities over the years, and continues to do so. A quick search for
"NIS" in my local copy of the Bugtraq database gave 90 hits (mind you,
"LDAP" gave 77, but then, there are so many different LDAP directory
servers), and then there's the portmapper itself to consider.

Don't just take my word for it - see "Hacking Unleashed", page 286, for
example: "Thus, Sun and other vendors have tried to patch the existing
legacy framework to make it more secure, but it still suffers from a myriad
of security-related problems". Or page 288: "The best defense against
remote RPC attacks is to disable any RPC service that is not absolutely

My professional opinion is that unless the users around your system are
extremely unsophisticated, you should stay away from NIS.

(NIS+ is somewhat better, but there's no NIS+ server for Linux, only a NIS+

If all you want to do is keep the shadow passwords and Samba passwords in
sync on a couple of servers, then my suggestion would be Webmin
(http://www.webmin.com). Its Samba module has a configuration option which,
when set, means that any users added or deleted through Webmin itself are
added to both /etc/{passwd,shadow} and /etc/samba/smbpasswd. There's also a
function for batch editing of users (and it can also sync pap-secrets and
chap-secrets, and generate SSH keys).

For long-term growth, LDAP seems to be the way to go, though. Steep initial
learning curve, but almost everything can authenticate against it, you can
use it as an address book, etc.


--- Les Bell, RHCE, CISSP

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]