From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: tuhs-bounces@minnie.tuhs.org X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: * X-Spam-Status: No, score=1.1 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, SUBJ_ALL_CAPS autolearn=no autolearn_force=no version=3.4.2 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id f48a298c for ; Tue, 6 Nov 2018 06:38:36 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id 1D7C1A2310; Tue, 6 Nov 2018 16:38:35 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id BF85CA2408; Tue, 6 Nov 2018 16:38:25 +1000 (AEST) Received: by minnie.tuhs.org (Postfix, from userid 112) id 2B107A22EA; Tue, 6 Nov 2018 15:11:58 +1000 (AEST) X-Greylist: delayed 526 seconds by postgrey-1.35 at minnie.tuhs.org; Tue, 06 Nov 2018 15:11:52 AEST Received: from sasl.smtp.pobox.com (pb-sasl1.pobox.com [64.147.108.66]) by minnie.tuhs.org (Postfix) with ESMTPS id A8AE9A215E for ; Tue, 6 Nov 2018 15:11:52 +1000 (AEST) Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-sasl1.pobox.com (Postfix) with ESMTP id 64E22FEB0C; Tue, 6 Nov 2018 00:03:05 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=from :message-id:content-type:mime-version:subject:date:in-reply-to :cc:to:references; s=sasl; bh=Uuhw2NCte2AMovWjOCJfmPcUIeU=; b=aK EQZhdnZBrSLvjWo10cj9BRFomPpJmWBLUDVI3exeZUR3hmkOvUpH0ZWTRoxdQnvr UNdORUT7lqW6uVmycCy27sbyS143L5dN4yVJOyhiYA5b1Is3WzQsgvJxlafMXDru 4bpU2rkvD+ge60/qanM3Yg+xdkOXdlUamnYWiWQJ4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=from:message-id :content-type:mime-version:subject:date:in-reply-to:cc:to :references; q=dns; s=sasl; b=uNlgjwtNqW0k4K9Q8JdPikHbPqXbl5pq+/ YqnUWuq/f/jFppLtvUSK6TLG35buUFajiUc9+ss1c0q764r9pGPjMoUJ5ymXPj0L nnDXGNFK909qo4duR5CAd3OsUG5Ty0x7a5zz4/KhsUnwJFOAMOxNbxAeH+YXUgG3 WltINms/U= Received: from pb-sasl1.nyi.icgroup.com (unknown [127.0.0.1]) by pb-sasl1.pobox.com (Postfix) with ESMTP id 5CE60FEB0B; Tue, 6 Nov 2018 00:03:05 -0500 (EST) Received: from davids-laptop.lan (unknown [59.167.129.250]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-sasl1.pobox.com (Postfix) with ESMTPSA id E2AC5FEB08; Tue, 6 Nov 2018 00:03:03 -0500 (EST) From: David Arnold Message-Id: <35C37347-E1DF-4FDF-BD5E-2EA92A46A0E2@pobox.com> Content-Type: multipart/signed; boundary="Apple-Mail=_AB1E26F0-F8BF-408F-B4F7-F8C23487F3EB"; protocol="application/pgp-signature"; micalg=pgp-sha256 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Date: Tue, 6 Nov 2018 16:03:00 +1100 In-Reply-To: To: tuhs@minnie.tuhs.org References: <6a64b957-5912-b102-c73c-d0b71bd24188@spamtrap.tnetconsulting.net> X-Mailer: Apple Mail (2.3273) X-Pobox-Relay-ID: 3E25DB50-E181-11E8-9A80-AD63581924B7-29049682!pb-sasl1.pobox.com Subject: Re: [TUHS] YP / NIS / NIS+ / LDAP X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" --Apple-Mail=_AB1E26F0-F8BF-408F-B4F7-F8C23487F3EB Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 One place I worked recently used FreeIPA. It's a Redhat-sponsored = attempt to integrate a bunch of other free/open source projects and put = them under a single web UI. It=E2=80=99s largely compatible, functionally, with Active Directory, = and I think can be set up to support cross-realm authentication with an = AD installation as well. It *doesn=E2=80=99t* (or at least in the setup = I used) replace AD, and doesn=E2=80=99t seem to use any Samba = components. It does however include the DHCP and (Dynamic)DNS integration that=E2=80=99= s part of AD. It seemed pretty fragile in practice, although the overall level of = systems expertise in this place was fairly low, and a lot of its = problems could well have been issues with the underlying virtual machine = or storage infrastructure. I too still use NIS at home. It works with my Linux boxes, but also the = Sun, DEC, SGI and NeXT stuff as well. I like the idea of a central = directory, but X.500 always seemed like overkill and the = =E2=80=9CLightweight=E2=80=9D bit of LDAP doesn=E2=80=99t quite throw = enough away for me =E2=80=A6 d > On 6 Nov 2018, at 14:03, Robert Brockway = wrote: >=20 > On Mon, 5 Nov 2018, Grant Taylor via TUHS wrote: >=20 >> I also loath the idea that Unix (Linux) doesn't have a stand alone = central directory server solution. Or if LDAP + Kerveros is said = solution, so be it. - That's sort of what I'm trying to figure out. >=20 > LDAP with or without Kerberos certainly counts as a standalone = directory server solution for *nix. >=20 >> Translation: What is the current Unix (Linux) method to provide = central user directory / authentication for about a dozen Unix (Linux / = Solaris / *BSD / AIX) systems /without/ a Windows Server in the mix. I = don't own a license for any version of Windows Server that supports AD. = Nor do I feel compelled to buy one. >=20 > I've seen plenty of businesses with Linux servers and OSX desktops. = These business often manage user auth on Linux with LDAP. Various = solutions were used to manage the OSX boxes but they were quite separate = to Linux. >=20 > One caveat with LDAP. When I last did this a few years ago many Linux = systems were set up in such a manner that a failure of LDAP makes the = systems largely unusable. AFAIK this is still a problem. >=20 > A sysadmin logging in had to wait out a series of timeouts while = trying to open nsswitch.conf or the PAM config to disable LDAP so the = underlying problems could be addressed. >=20 > One fix for this that I mentioned earlier is to manage the Linux = systems using orchestration tools like Ansible. Have them generate = local passwd, shadow & group files from data stored in LDAP. This = prevent the timeout problems I mentioned earlier and also means that = switching to a new authentication backend (eg, OpenLDAP to AD) is a lot = easier since it is abstracted away. >=20 > Cheers, >=20 > Rob --Apple-Mail=_AB1E26F0-F8BF-408F-B4F7-F8C23487F3EB Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEgSWooWYYB/aPrQYaRdnGTTV27CoFAlvhIIQACgkQRdnGTTV2 7Cp8oxAAmDSWIV8jQ3T+gJFTKI+ylWAlQOaCpQh2JM6+qfgb7RHTboXjl91ya+1b MaPseD4UxUrjJP3UZILGnbFxdDt30yLX/ABjMNOEZxgi2LdeXX8ZSEo8j2BZVetY zU4R+LP7yAM8ucDbfZlRXagypVmoBEq9pt7tW1vjWpnYxDBbyzWaMPqgjaQv3g+n WojAtd5ZeHFajgrnr/Uc0lFkFgPxI7X5LLvh8ACu594q5qQjjJVU7rFyFEszjyTT 5a46ZCKIXBESN1786D8RANqsg/jVEGJzshiIdxza6+ZfyZK3lxbUGrcufQkqMPb+ J8zY8og/k9HXUSqLH3nROIxX1Wjxq2BpwbKIBB4PSpJJaSlLvgprSC37V0WxGpYL YDf/63rrJvNdp1SoGBjHBvMKScbpv8txPCnbkZpZb0rroFXklGvV8e3ZmHtsWJdw eoXlxHPtzyqSqHOMWq6F8jq18rwh+uuXo2JcUYFSaO1T+lr7k2gw9LClWrjYa4Ak uDIofrDMYPaUQBmYUFtr6KrXDmQbSnAzlLD1JVkAZYQ/sXSoVCuh+o1yawit2UNn m9KBZgt9EsgaJa9KjL8ioasMKCBDU9b2rgNty/sDNZZVl1IJirkwFA3fHL+1Tn3r KN3sPGgdzXMCHMFtlNEEANaGFSBTtAWLFsiEaX0Vg+et9o5l4OI= =5BFN -----END PGP SIGNATURE----- --Apple-Mail=_AB1E26F0-F8BF-408F-B4F7-F8C23487F3EB--