Promoting LDAP vs NIS on RHL
seth vidal
skvidal at phy.duke.edu
Wed Jul 23 05:15:21 UTC 2003
On Wed, 2003-07-23 at 00:58, Dax Kelson wrote:
> An LDAP directory can have numerous advantages over NIS. For example:
>
> * Strong mutual authentication of client machines and LDAP servers
> * All network traffic and be encrypted (by mandate even) via SSL or TLS.
> * A rouge root on client machines cannot access user data, collect
> encrypted password strings for user accounts
> * Shadow password functionality including aging can be used
>
> I would like to encourage Linux sysadmins to "properly" and securely
> setup LDAP directories as opposed to NIS.
>
> What can be done to encourage this?
>
> For starters, it would be nice to have a good generic LDAP directory
> browser/editor that was SSL/TLS enabled. RHL7.3 shipped with a decent
> one, GQ, but it was dropped.
>
> The slick looking "directoryadministrator" can be used to administer an
> directory post-setup.
>
> Any have other ideas?
could you make openldap not be incredibly slow under high load and/or
large number of entries?
The problem I see with ldap-authentication backends are:
1. w/o kerberos or some other strong authenticator you'll still need an
authentication system for your authentication system
2. the available ldap server for linux appears to not scale that well
right now.
3. the layout of user information is not terribly obvious
4. the disaster recovery mechanism (what do you back up to make sure you
can recover) isn't as well documented or as trivial to understand as
NIS'
my 2c
-sv
More information about the fedora-test-list
mailing list