Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   CentOS (http://www.linux-archive.org/centos/)
-   -   coordinated NIS and LDAP servers (http://www.linux-archive.org/centos/594713-coordinated-nis-ldap-servers.html)

Boris Epstein 11-04-2011 05:48 PM

coordinated NIS and LDAP servers
 
Hello listmates,
We are currently running NIS for authentication but would like to
migrate to LDAP. Thing is, though, that some of the machines that
authenticate via NIS are so old I'd rather not even touch them.
Hence the question - is there a good way to have an NIS server for
user authentication that is a mirror image of an LDAP server, with a
proviso that an update introduced there is replicated in the LDAP
server's databases?
Thanks.
Boris.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Jonathan Nilsson 11-04-2011 09:55 PM

coordinated NIS and LDAP servers
 
> Hence the question - is there a good way to have an NIS server for
> user authentication that is a mirror image of an LDAP server, with a
> proviso that an update introduced there is replicated in the LDAP
> server's databases?
>

I don't know of any "syncing" mechanisms between an existing NIS
environment and an existing LDAP environment, but if you are willing to
migrate to something new that provides both, you might try FreeIPA.

http://freeipa.org/page/NIS_Compatibility

--
Jonathan
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Boris Epstein 11-05-2011 12:11 AM

coordinated NIS and LDAP servers
 
On Fri, Nov 4, 2011 at 6:55 PM, Jonathan Nilsson <jnilsson@uci.edu> wrote:
>> Hence the question - is there a good way to have an NIS server for
>> user authentication that is a mirror image of an LDAP server, with a
>> proviso that an update introduced there is replicated in the LDAP
>> server's databases?
>>
>
> I don't know of any "syncing" mechanisms between an existing NIS
> environment and an existing LDAP environment, but if you are willing to
> migrate to something new that provides both, you might try FreeIPA.
>
> http://freeipa.org/page/NIS_Compatibility
>
> --
> Jonathan

Jonathan,

Thank you very much, this sounds like an excellent idea!

Boris.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Stephen Harris 11-05-2011 12:35 PM

coordinated NIS and LDAP servers
 
On Fri, Nov 04, 2011 at 09:11:01PM -0400, Boris Epstein wrote:
> On Fri, Nov 4, 2011 at 6:55 PM, Jonathan Nilsson <jnilsson@uci.edu> wrote:
> >> Hence the question - is there a good way to have an NIS server for
> >> user authentication that is a mirror image of an LDAP server, with a
> >> proviso that an update introduced there is replicated in the LDAP
> >> server's databases?

> > http://freeipa.org/page/NIS_Compatibility

> Thank you very much, this sounds like an excellent idea!

If you don't mind paying, PADL may do what you want
http://www.padl.com/Products/NISLDAPGateway.html

Or fire up a Solaris 10 instance, which may also do what you want

Both will take an LDAP server and "republish" as NIS. LDAP is authoratative
and all changes must be made there (so you can't make your NIS map from
NIS sources and expect the changes to propagate to LDAP).

--

rgds
Stephen
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Boris Epstein 11-08-2011 08:52 PM

coordinated NIS and LDAP servers
 
On Sat, Nov 5, 2011 at 4:23 AM, Jonathan Nilsson <jnilsson@uci.edu> wrote:

>
> You're welcome! *I have used FreeIPA in the past with great success (though not specifically as an NIS data source). So if you do pursue FreeIPA, I highly recommend joining their separate mailing list freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> They have a very active development community that will be able to help you get up and running.
> To get you started, I recommend that you try installing it on a Fedora server, rather than CentOS (people have reported being able to build and install on CentOS 5, but yum install is easier on Fedora).
> Good luck!
> --
> jonathan

Jonathan,

Did you get this for CentOS. I've got CentOS 5.6. Would you know if
there is a repository for that that contains FreeIPA?

Boris.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Jonathan Nilsson 11-08-2011 10:50 PM

coordinated NIS and LDAP servers
 
I have not used FreeIPA on CentOS. As I said previously, I highly recommend
using Fedora servers as your FreeIPA servers, because it will install much
easier and you should be able to get support from the freeipa-users mailing
list.

If you are set on using CentOS, I think you will need to use the RedHat IPA
product instead. But the only success stories that I am familiar with are
from the v1.x IPA product, which is old.

http://www.howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5

--
Jonathan

On Tue, Nov 8, 2011 at 1:52 PM, Boris Epstein <borepstein@gmail.com> wrote:

> On Sat, Nov 5, 2011 at 4:23 AM, Jonathan Nilsson <jnilsson@uci.edu> wrote:
>
> >
> > You're welcome! I have used FreeIPA in the past with great success
> (though not specifically as an NIS data source). So if you do pursue
> FreeIPA, I highly recommend joining their separate mailing list
> freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > They have a very active development community that will be able to help
> you get up and running.
> > To get you started, I recommend that you try installing it on a Fedora
> server, rather than CentOS (people have reported being able to build and
> install on CentOS 5, but yum install is easier on Fedora).
> > Good luck!
> > --
> > jonathan
>
> Jonathan,
>
> Did you get this for CentOS. I've got CentOS 5.6. Would you know if
> there is a repository for that that contains FreeIPA?
>
> Boris.
>



--
Jonathan.Nilsson at uci dot edu
Social Sciences Computing Services
SSPB 1265 | 949.824.1536
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Ray Van Dolson 11-08-2011 10:56 PM

coordinated NIS and LDAP servers
 
On Tue, Nov 08, 2011 at 03:50:07PM -0800, Jonathan Nilsson wrote:
> I have not used FreeIPA on CentOS. As I said previously, I highly recommend
> using Fedora servers as your FreeIPA servers, because it will install much
> easier and you should be able to get support from the freeipa-users mailing
> list.
>
> If you are set on using CentOS, I think you will need to use the RedHat IPA
> product instead. But the only success stories that I am familiar with are
> from the v1.x IPA product, which is old.
>
> http://www.howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5
>

I'm surprised FreeIPA isn't in EPEL. Maybe this is because it's a
layered product offering by RHEL?

It's painful to run Fedora as a production server unfortunately with
its short lifecycle (at least in Enterprisey environments).

Ray

> --
> Jonathan
>
> On Tue, Nov 8, 2011 at 1:52 PM, Boris Epstein <borepstein@gmail.com> wrote:
>
> > On Sat, Nov 5, 2011 at 4:23 AM, Jonathan Nilsson <jnilsson@uci.edu> wrote:
> >
> > >
> > > You're welcome! I have used FreeIPA in the past with great success
> > (though not specifically as an NIS data source). So if you do pursue
> > FreeIPA, I highly recommend joining their separate mailing list
> > freeipa-users@redhat.com
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > They have a very active development community that will be able to help
> > you get up and running.
> > > To get you started, I recommend that you try installing it on a Fedora
> > server, rather than CentOS (people have reported being able to build and
> > install on CentOS 5, but yum install is easier on Fedora).
> > > Good luck!
> > > --
> > > jonathan
> >
> > Jonathan,
> >
> > Did you get this for CentOS. I've got CentOS 5.6. Would you know if
> > there is a repository for that that contains FreeIPA?
> >
> > Boris.
> >
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Ross Walker 11-09-2011 10:24 PM

coordinated NIS and LDAP servers
 
On Nov 4, 2011, at 2:48 PM, Boris Epstein <borepstein@gmail.com> wrote:

> Hello listmates,
> We are currently running NIS for authentication but would like to
> migrate to LDAP. Thing is, though, that some of the machines that
> authenticate via NIS are so old I'd rather not even touch them.
> Hence the question - is there a good way to have an NIS server for
> user authentication that is a mirror image of an LDAP server, with a
> proviso that an update introduced there is replicated in the LDAP
> server's databases?

You could have the NIS maps setup by your capable LDAP clients. Use getent on those boxes and filter out the local accounts, set them up as NIS servers but make sure they don't reference both NIS and LDAP.

In my environment I have my NIS servers use winbind to get AD accounts into NIS as winbind will map Windows UUIDs to UIDs and GIDs. Just customized the map building scripts to use getent and filtered out the local accounts.

If I migrate over to OpenLDAP in the future I merely change this on the NIS servers. I could also merge both AD and OpenLDAP if UIDs and GIDs don't collide.

All authentication is handled by Kerberos, so password management doesn't need to fit in, the only thing that might require extra config is the shell management stuff. I just standardize on bash across the board here.

-Ross

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

John R Pierce 11-09-2011 11:14 PM

coordinated NIS and LDAP servers
 
On 11/08/11 3:56 PM, Ray Van Dolson wrote:
>> If you are set on using CentOS, I think you will need to use the RedHat IPA
>> > product instead. But the only success stories that I am familiar with are
>> > from the v1.x IPA product, which is old.
>> >
>> > http://www.howtoforge.com/how-to-build-rhel-ipa-rpms-for-centos-5
>> >
> I'm surprised FreeIPA isn't in EPEL. Maybe this is because it's a
> layered product offering by RHEL?

ipa-server is in centos6 'CR' and will be in 6.1 its currently 2.0.0
which is a lot more comprehensive than 1.x was. I do note the IPA
project is up to 2.1, maybe rpmforge or someone can start rolling these
up for us all.

I started reading about FreeIPA last night and am real interested in
firing up a test instance in my lab at work, which is an unholy mess of
linux (assorted versions), solaris, and a few windows servers.

--
john r pierce N 37, W 122
santa cruz ca mid-left coast

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


All times are GMT. The time now is 08:39 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.