HPE Community
Operating System - HP-UX
1824971 Members
3338 Online
109678 Solutions
New Discussion юеВ

Re: nis vs. nis + vs. ldap

 
someone_4
Honored Contributor

тАО05-22-2003 10:14 AM

тАО05-22-2003 10:14 AM

nis vs. nis + vs. ldap

Hello everyone ..

I was wondering if anyone can shed some light on what the difference is between NIS and ldap for user
authintication.And would would be the best for a 25 servers and about 15-25 users env and why.

So far here is what I beleive. Let me know if I am on the right track. From my understanding LDAP is used more for domain management for internet services such as mail,web hosting. NIS is for local user authintication. And would be good for a small env with not that many users.
NIS+ is the advanced version of NIS. There may be more of a setup but it has allot more features then NIS.

So far I am thinking of moving towards NIS. But other think we should go with an LDAP solution.

Thanks,
Richard
0 Kudos
Reply
4 REPLIES 4
Steven E. Protter
Exalted Contributor

тАО05-22-2003 10:47 AM

тАО05-22-2003 10:47 AM

Re: nis vs. nis + vs. ldap

NIS plus is designed for private networks. It doesn't work in a public DNS environment.

The knocks against NIS and NIS+ are that it can be very complex to administer. After going through network and sys admin II and doing the exercizes, I decided I didn't want anything to do with it.

I'm actually considering using it to keep passwords synched in my Linux environment for my web hosting business.

Back on topic:

LDAP's advantage is that it can take user authentication off the HP-UX server. Except for root and administrative accounts, you don't need to worry about passwords and security policy.

If the LDAP server is an HP-UX box, you handle it on one box, and then configure all the others to authenticate off that box.

If the LDAP server is a Microsoft box, you do an HP White paper that involves changes to the environment, and then follow a five page procedure for moving authentication to LDAP.

This topic is covered in HP's Internet Security Course, which is a wonderful course and is underutilized.

The practical basis, your users can have one login that works for print spoolers, oracle, telnet, ftp, anything you want.

In my far from humble opinion, LDAP is the wave of the future because it allows integration with a Microsoft environment.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
S.K. Chan
Honored Contributor

тАО05-22-2003 11:06 AM

тАО05-22-2003 11:06 AM

Re: nis vs. nis + vs. ldap

I'll throw in my brief thought on this. Given your environment, I would first go with just the basic NIS setup. That alone will give you considerable amount of time to do the work and planning for your migration. NIS+ is "enhanced NIS" and some of its feature that I liked which NIS does not have are ..
- NIS+ server can served multiple IP subnets whereby for NIS you need at least one server (slave) per subnet.
- Map propagation speeds for NIS+ because it can do incremental propagation. For NIS you need to push the whole map out.
.. among others ..
But the major downside with NIS+ is its complexity which outweighs the benefits. So between NIS and NIS+ I'll rather go with the former. LDAP however is a totally different "animal". I have not dealt with it to say much. Our site is currently integrating our NIS with LDAP. One of the reason for this is that we want to consolidate the maps from different geograhpical region and LDAP is ideal for this. It integrates well with NIS. So for a small setup like yours NIS is ideal and later you can always consider LDAP integration. Hope this gives you something to go on.
0 Kudos
Reply
Shannon Petry
Honored Contributor

тАО05-22-2003 11:47 AM

тАО05-22-2003 11:47 AM

Re: nis vs. nis + vs. ldap

I have a bit of experience with all 3, and will give the pro's and cons as well as a few benefits.

First, all 3 services (NIS, NIS+, and LDAP) perform the same basic function on the surface. User ID, Passwords, groups, Services, hosts lookups, etc..

NIS Basic service and supported on all UNIX sytems that I know of. It is flexible in that you can build and push your own information without re-inventing the wheel but simply understanding basic scripting and Unix commands.
Drawback is Security. NIS is very insecure. Passwords are encrypted, but the salted encryption is plain text and visible from the passwd map.

NIS+ Performs the same tasks as NIS and adds several new features. NIS+ is extremely secure. NIS+ is NOT supported on all Unix/Linux platforms and for this reason has been under developed by Sun, and is not flexible.
NIS+ adds to NIS the ability to sub-domain. This means that a NIS tree can span as many layers as needed. I.E.
enterprise.com = NIS+ Master
mynet.enterprise.com=Sub domain
your.mynet.enterprise.com = subdomain of mynet, still responsible to enterprise.
NIS+ has limited support outside of SunOS, and is very difficult to setup. Problem resolution is not simple, and the heiarchy means that a failure can be catostrophic. Carefull planning is required for successfull implementation.

LDAP LDAP is an extension on the thoughts of Novell in how they gathered and used Network information. Everything has a place, and there is no limit to what you can put into an LDAP system. I.E.
USER() can be USER(Name, password) or can be (Name, password, url, email_address, /link/to/a/pic, manager, department, etc...)

LDAP like NIS+ requires carefull planning. It's a database and query format, so as much as you can do with a database, you can do with LDAP.

LDAP has the least support of any, mainly because of the following.
1. Stability
2. Standards
3. Security

Currently LDAP is growing in use and popularity because of flexibility. Security is still an issue with LDAP, but is improving. There are very few standards defined, making a sys-admins job a nightmare when determining how to build the big picture.

I myself have liked the concepts of LDAP, but because I run Irix, AIX, Solaris, HP-UX, Linux, and Windblows I dont run it. Right now, NIS is the only thing that us supported on all the Unices. Windblows has questionable support for LDAP outside of craptive directory services.

So, if you want to be cutting edge go LDAP, if you want easy go NIS. If you want security, go NIS+.

Hope it helps a little bit.

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Kevin Wright
Honored Contributor

тАО05-22-2003 12:58 PM

тАО05-22-2003 12:58 PM

Re: nis vs. nis + vs. ldap

Sounds like your environment is perfect for a NIS setup. NIS+ is on life support, as Sun will not be continuing it in future releases. LDAP is probably too complicated for what you need to accomplish, but certainly it is cutting edge, and the future direction for many reasons.

Not sure if you can use C2 security on HP's NIS, however, on Solaris you can create a shadow file for your NIS passwd's to increase security.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.