HPE Community
Operating System - HP-UX
1823152 Members
3507 Online
109647 Solutions
New Discussion юеВ

NIS vs. LDAP

 
Olivier Masse
Honored Contributor

тАО06-02-2008 04:48 PM

тАО06-02-2008 04:48 PM

NIS vs. LDAP

Currently I have a homemade solution to replicate passwords to my 50+ servers. I'm looking into something more supportable in the long term. I'm with 11iv2 and plan on moving to 11iv3 sometime next year.

NIS+ has been removed since 11iv3. NIS is still available and would be enough for my needs but I'll spare all the security issues that could arise from it (even if using IP Filter or IPSec).

I know nothing about LDAP. But the LDAP-UX client does seem to be well-supported and documented by HP. I could set up a small OpenLDAP server just for my HP-UX domain and be through with it. I don't care if the server component is open-source as long as it works.

1. Is using NIS in 2008 a good idea? I think not but I'm open to any argument in favor of NIS, if there are any. It's easy to setup, for one.

2. Is setting up a dedicated LDAP server, only to host HP-UX accounts (and possibly Apache passwords as well), easy to do? Any reading suggestions on the subject?

Points will be awarded, thanks.

P.S. We have a corporate LDAP server somewhere but I'd rather stay away from it, for various reasons (red tape among others)... So don't suggest this avenue please.
0 Kudos
10 REPLIES 10
TTr
Honored Contributor

тАО06-02-2008 06:24 PM

тАО06-02-2008 06:24 PM

Re: NIS vs. LDAP

How reliable, effective and manintenable is your homemade solution?

I use NIS with a bunch of 11.23 servers. It works fine but because I have password aging (the comma based in the password string) there are some minor issues with the password aging. I had to maintain the 10.20 NIS master because of it and still one minor issue remains. I don't know what NIS looks like in 11.31. I wish it made a come back with added encryption etc.
I don't use shadow passwords so I don't know if NIS can handle them. It may be as simple as adding /etc/shadow in the list of NIS maps.

I also looked at LDAP but it is much more involved. There is an LDAP/NIS gateway but that is to help during the migration. You need to do a lot of reading and get comfortable with the LDAP structures that you have to create to accomodate the standard UNIX password/roup structure. Maintaining an LDAP environment is not trivial either.
HP provides the Red Hat directory server (Netscape porting with Red Hat label) for HP-UX.
0 Kudos
Patrick Wallek
Honored Contributor

тАО06-02-2008 06:26 PM

тАО06-02-2008 06:26 PM

Re: NIS vs. LDAP

I would go for an LDAP server. If you want to set up one just for your HP-UX servers, that would be OK.

NIS is good but if you are covered by any of the audit standards, HIPPA, Sarbanes-Oxley, possibly PCI, then NIS will never pass an audit.
0 Kudos
Patrick Wallek
Honored Contributor

тАО06-02-2008 06:31 PM

тАО06-02-2008 06:31 PM

Re: NIS vs. LDAP

To add to TTr's comments:

NIS on Sun Solaris had the capability to have the shadow file as an NIS map. However, at that time it did not work with HP-UX. That was probably due to the fact that HP-UX had no /etc/shadow file support at that time. The last I worked with it to any extent was about 7 years ago though.

Now that HP-UX has /etc/shadow support, the NIS shadow map **MAY** work. You would need to read up on NIS on HP-UX and see.

I think I would still go for LDAP though.
0 Kudos
TTr
Honored Contributor

тАО06-02-2008 06:34 PM

тАО06-02-2008 06:34 PM

Re: NIS vs. LDAP

I just took a quick look at

http://docs.hp.com/en/5992-2187/5992-2187.pdf

and support for shadow passwords is added. I hope encryption is added next.
0 Kudos
Olivier Masse
Honored Contributor

тАО06-03-2008 08:09 AM

тАО06-03-2008 08:09 AM

Re: NIS vs. LDAP

Indeed administring an LDAP server does not seem trivial, but enduring a SOX audit with a basic NIS server would scare the hell out of me!

As for Red Hat Directory Server: I actually never noticed that HP had bundled this in HP-UX since a while, I thought it was a third party product. Since it's an "official" product and it's released by HP, I like this. Guess I have some reading to do...

Thanks
0 Kudos
TwoProc
Honored Contributor

тАО06-03-2008 08:48 AM

тАО06-03-2008 08:48 AM

Re: NIS vs. LDAP

I use the very same thing - an LDAP server for just the Unix computers. I did this because of the security issues of NIS and NIS+, plus I was informed that it was going away.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
DougStrasburg
Frequent Advisor

тАО06-04-2008 05:15 AM

тАО06-04-2008 05:15 AM

Re: NIS vs. LDAP

Olivier,

You might want to consider using Kerberos for authentication. As security is becoming more of an issue it seems more are turning to a combination Kerberos/LDAP solution with MS Active Directory as a repository. Kerberos is used for authentication while the LDAP capability (schema) of ADS is extended to hold the Unix account (Posix) information. You might also check the "mod_auth" modules for Apache for LDAP and Kerberos. (e.g., mod_auth_kerb)
0 Kudos
Steven E. Protter
Exalted Contributor

тАО06-04-2008 05:22 AM

тАО06-04-2008 05:22 AM

Re: NIS vs. LDAP

Shalom,

1. Is using NIS in 2008 a good idea? I think not but I'm open to any argument in favor of NIS, if there are any. It's easy to setup, for one.

No. If you are not currently using it, it would be advised to avoid this technology for the reasons you have stated.

2. Is setting up a dedicated LDAP server, only to host HP-UX accounts (and possibly Apache passwords as well), easy to do? Any reading suggestions on the subject?

There are several working versions of an LDAP server for HP-UX in depot form on http://software.hp.com

It may not be easy to do the setup, but it is possible for you to build a system without integrating to windows.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
TwoProc
Honored Contributor

тАО06-04-2008 07:30 AM

тАО06-04-2008 07:30 AM

Re: NIS vs. LDAP

Re: 2) Easy to do.

No, LDAP for the first isn't particularly easy. It's not particularly daunting either.

We just decided it was the right thing to do, so we went ahead and spent the time to learn it , assemble it, and then implement it.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Olivier Masse
Honored Contributor

тАО06-04-2008 08:19 AM

тАО06-04-2008 08:19 AM

Re: NIS vs. LDAP

Thanks to everyone
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.