[OpenAFS] /etc/passwd mgmt

Russ Allbery rra@stanford.edu
Thu, 10 Mar 2005 16:47:41 -0800


Chris Huebsch <chris.huebsch@informatik.tu-chemnitz.de> writes:

> Exactly. I strongly recommend using LDAP to distribute user-info (as a
> replacement for /etc/passwd).

> As far as I tried it, it integrates well with Linux and Solaris.

> Hesiod, NIS, etc. are not that flexible and stable.

Not that I would actually encourage people to do new NIS deployments,
particularly since it has some security issues even if you're not
distributing passwords that way, but when it comes to stability this just
isn't true.  OpenLDAP is pretty nice, but Solaris NIS servers rank easily
in the top five of the most stable services that I've ever run.  The NIS
server process generally runs without interruption or maintenance for
literally years at a time; it's historically been even more stable than
AFS VLDB servers, and that's saying a lot.

That being said, LDAP is really the place to go for new deployments.  NIS
is ancient technology with no real security to prevent people from
spoofing packets to get a UID of 0 (and don't get me started on NIS+) and
it's very fiddly to get set up properly and limited down to just what you
want to do with it.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>