Re: [Sheflug] Sheflug Meeting / AccessSpace NIS

[Matthew Palmer <nospam [at] ieee.uow.edu.au>]

On 29 Mar 2001, Alex Hudson wrote:

> The way I've set things up in the past is this. Account access /
> authentication over a network done over LDAP - you can get a PAM module
> which plugs in, and then you just pop all the account information into
> the LDAP server rather than /etc/passwd, or NIS. There is a standard
> schema for POSIX accounts, and believe me, LDAP auth is _much_ nicer
> than NIS. LDAP is also rocking technology - directories are where it's
> at these days, and I'd probably also say it was more lightweight than
> NIS auth.

I can say from experience that LDAP auth is *not* a lightweight solution
when running on Access Space's hardware.  I've implemented it here in the
IEEE lab, and the server is running on a 486.  Logins can take up to 40
seconds to complete.  Not a pretty sight.

Knowing what Access Space is using, I'd say that NIS, properly firewalled,
is going to be better for the situation.  The internal users aren't that
crack-prone, so it's just external problems.

That said, LDAP is *much* sexier, so if there's a Pentium lying around not
doing an awful lot (say a dedicated server that user's don't have login
rights to) you could probably get it running fast enough, and with the
addition of nscd (which you should have going already, running NIS) it can
be sped up sufficiently.

> Mounting remote home directories is a tough one. NFS is the main 'Linux
> way', but as I said before, it sucks goat. If you find directories
> disappearing, or if ls/du/df complains, etc., etc., ad nauseum, it's NFS
> to blame, it's crap. Samba is a lot more stable, and if you have no
> obvious objections to the noisy CIFS ("box a: hello, it's me, are you
> free?", "box b: yes, I'm free, what do you want?", "box a: oh, nothing",
> etc.) that might be the way to go. That's probably the way I would go.
> Also brings the benefit of Windows integration, if that's of any use
> (you never know ;). Sadly, the choice is pretty much going to be samba
> vs. nfs - up to you.

Argh!  OpenAFS to the rescue.

My dream system is LDAP for the account info, Kerberos for the
authentication, and AFS for the home directories.  It can be made completely
transparent, so that a user logging in anywhere can get their home dir and
everything - even, possibly, from outside the Access Space.  Not that you're
going to want that over the little ISDN link, but it's a nice idea...

> LDAP/Samba would require some learning on your part, but then, you say
> you're not really up to speed on NIS anyway, so you're going to have to
> learn one or the other. Samba is a doddle to setup and get working, as
> for NIS vs. LDAP - hmm, well, LDAP is probably marginally harder, but
> it's a lot less scary than it looks. Plus, the daemons are called
> 'slurpd' and 'slapd' - instant UNIX guru points :)

LDAP is a relatively easy technology to make happen.  The concepts are
tough, but the servers are pretty easy to make happen.

> I'd offer to help out, but I'm not in Sheffield all that often :(

I'll wager you're there more often than me... <g>


-- 
-----------------------------------------------------------------------
#include <disclaimer.h>
Matthew Palmer
mjp16@ieee.uow.edu.au

---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.