[NTLUG:Discuss] NIS no longer developed?

Chris Cox cjcox at acm.org
Wed Aug 6 13:13:20 CDT 2003 

Tom Adelstein wrote:
> 
> 
> cjcox at acm.org wrote:
> 
>> Neil Aggarwal wrote:
>>
>>> Hello all:
>>>
>>> If I look at the Linux NIS homepage, it looks like the product
>>> is no longer being developed.  Is that true?
>>
>>
>>
>> Probably not developed since it is complete.  Where do you think it
>> needs to go?  Granted an good automounter still needs
>> some development work, but that's a side tool often integrated
>> with NIS deployments... but not a part of NIS.
>>
>>>
>>> If so, what replacement are people using to centralize
>>> password management in a mixed environment (Linux and
>>> Windows)?
>>
>>
>>
>> IMHO, NIS works, and the others don't.  Oh.. you can
>> spend several months getting OpenLDAP to work, but
>> certainly not across the enterprise (all Unix/Windows/etc.)
>> and the schemas are under HEAVY flux and will continue
>> to be so for at LEAST another year or so (that from
>> Gerald Carter).  Vendors are still trying to 0wn LDAP
>> instead of working on interoperability.  If you're
>> all Linux... then you're choices are wide open... if
>> you're a mixed environment, then I prefer NIS + Samba + PAM + ssh
>> for single sign on and single platform account management without
>> the primary NIS security flaw (exposed DES encrypted
>> passwords).
>>
>> Anyone who has gone through the pains of LDAP conversion
>> more than once (due to the schema changes) will tell you
>> they're sick of the changes.  Would be nice to see things
>> settle down, but even then, will it integrate seemlessly
>> with Microsoft Active Directory??
>>
>> LDAP... new technology, many security flaws, immature.
>> Anyone recommending this over NIS hasn't really analyzed
>> the tech too closely.
>>
>> I probably stand alone in this boat in the Linux community.
>>
>> Regards,
>> Chris
>>
>>
>> _______________________________________________
>> https://ntlug.org/mailman/listinfo/discuss
> 
> 
> Chris,
> 
> I recognize your extensive expertise in this area.
> 
> I just have a problem with your absolutes "anybody" "immature" 
> especially in light of the IMHO (in my humble opinion).

Yep.. I went to OpenLDAP school under Gerald Carter at Usenix
for the very reason of determining if it was baked yet...
conclusion: smelling good, but not quite done.  Lots of
frustrated attendees talking about having to do yet another
schema migration to support the new definitions.

> 
> I've developed in places where LDAP works fine and the admins love it.

Sun <-> Sun ... works great.. they 0wn the technology.

Linux <-> Linux  ... can work great, but requires some work unless
all Linux use the same dist.

> 
> I've suggested NIS in other places and the people hated it.

Haven't seen an LDAP yet that does Windows/Linux/HPUX/Solaris/AIX
without jumping through major hoops (hoops which  to me are
just as painful as account replications.. and in many cases,
what I've seen done is effectively account replication when
you get right down to it).

I'm surprised about the NIS difficulties... it's pretty
simple.

> 
> Afterall, you like SuSE. How can anyone really trust your opinion?
> 
> (Joking...joking...joking). <grin><grin><grin>.
> 
> The only thing I'm saying is that I've seen lots of different opinions 
> on it.
> 
> Personally, I like NIS in smaller environments.

Granted, I have not tried an implemenation into the 1000's of users.
Most of mine involve hundreds of users.  Usually site autonomy
comes into play, so I haven't had to worry about the difficulties
of wide area account management.  But LDAP should have some of
the very same issues that NIS has with that... and in some cases the
problems will be worse (much worse).

My presentation materials do mention that LDAP is the "future"...
but I'm not so sure now.  It's possible that it will be the
future, but right now, it's definitely going through some
of the very same birth pains that older technologies have
already addressed or at least have talked about for many, many
years.  I just surprises me to see a "new" technology
repeating old mistakes... well.. perhaps "surprise" is too
strong of a word.

More information about the Discuss mailing list