[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] LDAP vs NIS



On Mon, 14 Jul 2003, Les Bell wrote:

> 
> cwagnon redbugmail k12 ar us wrote:
> 
> >>
> Everyone talks about LDAP but I'm sure NIS has its place.
> <<
> 
> >From a security perspective, the place for NIS is in the dumpster. NIS is
> based on Sun RPC and the portmapper service, which has had a lot of
> vulnerabilities over the years, and continues to do so. A quick search for
> "NIS" in my local copy of the Bugtraq database gave 90 hits (mind you,
> "LDAP" gave 77, but then, there are so many different LDAP directory
> servers), and then there's the portmapper itself to consider.
> 
> Don't just take my word for it - see "Hacking Unleashed", page 286, for
> example: "Thus, Sun and other vendors have tried to patch the existing
> legacy framework to make it more secure, but it still suffers from a myriad
> of security-related problems". Or page 288: "The best defense against
> remote RPC attacks is to disable any RPC service that is not absolutely
> necessary".

BUT, you are already running portmapper, because NFS needs it.


> 
> My professional opinion is that unless the users around your system are
> extremely unsophisticated, you should stay away from NIS.
> 
> (NIS+ is somewhat better, but there's no NIS+ server for Linux, only a NIS+
> client).
> 
> If all you want to do is keep the shadow passwords and Samba passwords in
> sync on a couple of servers, then my suggestion would be Webmin
> (http://www.webmin.com). Its Samba module has a configuration option which,
> when set, means that any users added or deleted through Webmin itself are
> added to both /etc/{passwd,shadow} and /etc/samba/smbpasswd. There's also a
> function for batch editing of users (and it can also sync pap-secrets and
> chap-secrets, and generate SSH keys).
> 
> For long-term growth, LDAP seems to be the way to go, though. Steep initial
> learning curve, but almost everything can authenticate against it, you can
> use it as an address book, etc.

Agreed, I think LDAP is the future. I'm very interested myself into
exploring using LDAP to authenticate for running local apps within
LTSP.  I just need to figure out a way to get more hours in the day.

Jim McQuillan
jam Ltsp org




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]