HPE Community
Operating System - HP-UX
1829108 Members
15097 Online
109986 Solutions
New Discussion

Account Management

 
SOLVED
Go to solution
Jacob Ott
New Member

‎06-12-2003 02:59 PM

‎06-12-2003 02:59 PM

Account Management


Over the years we have built up 3 fairly nasty NIS domains. It's quite the administrative nightmare. We have mostly unique UIDs and GIDs but still a few conflict that will probably never be able to change. Our systems will always need to run NIS for compatibility sake (read: we still have 10.x systems that will only run NIS). The diversity of the environment is scary.

My question is this. What are everyone's opinions on different sorts of directory management? 3 separate and not equal NIS domains is a pain to work with.

The obvious solution is to bring together the disjoint NIS domains into one, then migrate them all into a "new" NIS domain or something like LDAP. Unfortunately we still have to run NIS, AND we have UID/GID conflicts that will never be resolved.

LDAP is an option. I have attempted to setup a simple LDAP domain, however it doesn't really simplify things because of the non-unique UID/GID problem. We could have the 3 separate NIS domains in the LDAP directory, but that doesn't simplify life.

If there was a way to keep the conflicting UIDs/GIDs in a subdomain, then migrate the non-conflicts up to the parent domain. That would simplify life. As far as I've tried, there looks to be no way to have subdomains in LDAP/NIS that will look back up a level for accounts not found in a subdomain. Views looked promising, but groups can't be assigned attributes like users can. Even if they could, disjoint base DNs confuse the NIS/LDAP gateway.

NIS+ is a dead dog already so why migrate to something that???s already going out of style.

Any other suggestions?
0 Kudos
Reply
1 REPLY 1
Steven E. Protter
Exalted Contributor

‎06-12-2003 08:28 PM

‎06-12-2003 08:28 PM

Solution

Re: Account Management

I think you have a fairly good idea which way to go.

You need a new NIS layout that works for all three environments and a plan that migrates you there and gets the GID/UID thing worked out once and for all.

I don't see what LDAP buys you unless you want to start authenticating users at the LDAP system and replace NIS altogether.

To go the LDAP route, you'll need to set up a test server and get experience with it.

None of this will work without an intricate plan. You are going to need to pretty much know the final GID/UID layout for EVERY user before you start.

The devil here is in the details.

I totally agree with avoiding NIS+. That dog is dead and buried and Sun is probably going to abandon it.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.