Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature
SysAdmin to SysAdmin: NIS end-of-life and LDAP
Share
Print
CommentsAlmost none of us work in a 100% Linux environment. We have EMC and NetApp appliances that authenticate users in order to get access to the files stored on them. We have Cisco switches and access points that authenticate users to get access to the network. We have groupware applications, Web servers, and mail servers which need a whole host of user information. Last but not least, we have Solaris, AIX, HP-UX, and possibly other systems that need to authenticate users. All of these platforms work well with NIS. What happens now?
Sun is pushing LDAP as the replacement, but no two LDAP
clients are implemented the same way. Sun doesn't talk to an LDAP server like a
Linux machine does, or an AIX or HP-UX machine does for that matter. Every one
of these platforms has one issue or another. For Linux, nobody appears to have
written the client-side code to properly handle netgroups for all the things
you might use netgroups for. For Sun, there's no start_tls
implementation. NetApp just barely knows what LDAP is.
For simple servers, the best we can do is try to consolidate and move to one operating system and squeeze everything we can out of it. This would at least provide us with a single set of issues to deal with; one configuration to troubleshoot, which is then applicable across most of the machine room. Which OS wins that battle? Hint: it's probably not Sun. It's probably not a proprietary Unix, period. But I digress.
The bottom line is we administrators, again, have a choice to make: Implement an NIS server on another platform, or move to some other service. Since NIS+ is probably overkill and a gross increase in administrative overhead, this is probably not what most of us will go with (not to mention that NIS+ is next on Sun's chopping block). For those who can clearly see the writing on the wall, the answer is "find an LDAP server that'll run on the platforms we're using, and start figuring out how to get all of your systems and applications to play nicely with it." But do you go with OpenLDAP, IBM SecureWay, Novell's eDirectory, or Sun's SunONE directory server? There are others, too!
No implementation is perfect. Novell appears to assume that you're in a NetWare environment, and that your user home directories are on NetWare volumes. Reports I've received on SecureWay seem to indicate that there is a notable decrease in performance when compared with almost any other solution, as well as NIS. OpenLDAP suffers from a somewhat complex implementation, and a cold-as-ice mailing list which makes getting through the learning curve difficult. SunONE is a good LDAP implementation, but it's commercial, so there's no support if your environment is using the free license, which is good for something like 200,000 entries. Novell eDirectory has a similar license, but the forum help at Novell is rather nice, and eDirectory runs pretty well under Linux in my experience. What's an admin to do?
Personally, I went with OpenLDAP. OpenLDAP is a pretty rock-solid server implementation. However, the various LDAP client implementations have kept LDAP out of production for over a year now. LDAP touches pretty much everything (ugh). Anything that needs a password needs to get it from LDAP, unless you're gonna sync NIS and LDAP (double-ugh). For services that check group memberships, user or host-based netgroup memberships, or that use tcp_wrappers, configuration can be interesting.
Did you pick a different LDAP implementation? Are you sticking with NIS on a different platform? Are you just gonna build it on Solaris using third-party-packages? What has your experience been with the clients? Have you moved to commercial versions of some client services in order to get the LDAP integration you need? In some cases, moving to LDAP makes doing more with user data easier. In other cases, it makes some things harder. Share your thoughts!
Comments
on SysAdmin to SysAdmin: NIS end-of-life and LDAPNote: Comments are owned by the poster. We are not responsible for their content.
To make a long story short, we went with the Solaris DS 5.2 solution. It's a mature product, and very reliable. Also, the docs on sunsolve.sun.com and docs.sun.com are useful (along with testing) on getting everything working.
Once you've gotten solaris working (we did sol8 and 9, and will let attrition address earlier versions), Linux support was very easy by comparison.
HP-UX doesn't (at this point) support LDAP for automount. It will do auth, but I'm waiting for HP to wake up and get it working.
We didn't want to use OpenLDAP, as we wanted everything to work using the default scripts from Sun. After all, Sun came up with NIS. They're leading the move to LDAP.
One thing to keep in mind is to use the latest ldap patches from Sun. Sun is still getting bug reports for boundary cases, and keeping up on the LDAP client patches is a good idea.
Statements about the support of NIS and NIS+ in Solaris 9:
What this really means in the actuall release(Solaris 9):
"For question 3:
There has been no statement on removal of NIS support, which means that any changes would be no earlier than Solaris 11, which is at least four years out."
So this means you will have to check the same information when Solaris 10 will be introduced officially end 2004. I guess it depends on the usage of NIS (how many Sun customers and others are still using NIS). And that is only the support by Sun in Solaris releases and training. I guess NIS will be around in Linux for some time in the future.
I've made a mistake, the above should look like this:
Good articel but I don't think anyone will have to worry about NIS being end of life just yet. Mabye in 2-4 years with Solaris 11 or 12. Only for other reasons you might be forced to move to LDAP.
Statements about the support of NIS and NIS+ in Solaris 9:
<A HREF="http://wwws.sun.com/software/solaris/ds/ds-namingdirectory/index.html#8" title="sun.com">http://wwws.sun.com/software/solaris/ds/ds-naming<nobr>d<wbr></nobr> irectory/index.html#8</a sun.com>
"For question 3:
There has been no statement on removal of NIS support, which means that any changes would be no earlier than Solaris 11, which is at least four years out." <A HREF="http://www.sun.com/bigadmin/xperts/sessions/04_sol9/" title="sun.com">http://www.sun.com/bigadmin/xperts/sessions/04_so<nobr>l<wbr></nobr> 9/</a sun.com>
So this means you will have to check the same information when Solaris 10 will be introduced officially end 2004. I guess it depends on the usage of NIS (how many Sun customers and others are still using NIS). And that is only the support by Sun in Solaris releases and training. I guess NIS will be around in Linux for some time in the future.
Just my 2 cents..
Couple of points
Posted by: Administrator on September 01, 2004 08:10 PMYou can find a 'least common denominator' LDAP schema to use that supports multiple vendors (rfc2307) that will provide basic authentication support, but like you pointed out finding enterprise support for netgroups, auto-mounting support, etc is a grab bag.
My company is 100% Linux and we ran into weird problems when we tested replacing NIS with LDAP. Things like KDE 3.2 blowing up when you exit because the kdm process doesn't recognize the return code related to pam_ldap, problems with certain applications supporting LDAP authentication with TLS, etc... I mean, authenticating LDAP basically passes user/pass in plan text, so TLS/SSL is an absolute requirement!
We also found problems with cross-distro support. We primarily use Debian around here, but we tried to integrate RHEL / SLES into the test lab and found just flakey blow-ups, seemingly random failed authentication, version conflicts, etc. I mean, NIS does suck, but at least its a functional single sign-on system.
My $0.02. Thanks for raising the issue!
DaGoodBoy
#