Replacement for NIS/YP

linux unix ldap nis active-directory
5,397

Solution 1

Microsoft used to have something called Services For Unix (It's still around but with a different name: It's now "Subsystem for UNIX-based Applications (SUA)") -- Among the features it included was an AD-to-NIS gateway that allows you to create a NIS domain that is effectively slaved to your AD domain.
This is probably the the path of least resistance for you since your unix environment is heterogeneous -- Anything that understood NIS will understand the MS NIS server, because as far as your unix systems are concerned it's still just a plain old NIS server.

Another option is pam_ldapd (or pam_ldap + nss_ldap) -- This would query against your AD servers directly & gets away from some of the limitations of NIS, but I don't know how good the netgroup support and such is on these (I know pam_ldap + nss_ldap doesn't have working netgroup support on FreeBSD).

Solution 2

you could try freeipa (http://freeipa.org) from the redhat folks. It is meant to replace nis/yp and it gives you a kerberized environment as a bonus. Of course you can just plug clients with just pam_ldap, but you lose then the single sign-on.

You can also synchronize users with AD, by the way.

Solution 3

Given you already have AD in house I recommend considering freeipa/Redhat IDM set up as a trusted domain of active directory. Besides being free, this allows you to use all existing user & group information in AD, while setting access controls and policies in ipa.

You also get kerberos & sso potential. Ipa in this setup presents ad groups as netgroups (like nis).

It comes with a nice web gui, and internal role based access control (eg who can join hosts to the kerberos realm, who can manage sudo etc).

Any client should be able to authenticate against either ipa or AD.

QAS (either version) is an ideal solution in my opinion except for the cost, which can be insane. It also requires a schema change to AD, which itself is fine but your AD guys might not like that.

The newer versions of winbind are much more stable than 3.x, but require you to have access policies (sudo, ssh) configured on each host.

I can't speak for centrify.

Share:
5,397
mdpc
Author by

mdpc

I love UNIX/Linux and Systems Administration.

Updated on September 17, 2022

Comments

  • mdpc
    mdpc almost 2 years

    The company that I am working for is embarking on replacing the current locally developed NIS/YP structure with LDAP.

    We already have AD in house for the Windows stuff and would like to consider using an AD system. The AD people are quite restrictive and would not support extensive modifications.

    We have needs to have the replacement include the support the full capabilities of the NIS/YP suite include netgroups, login restrictions to specific servers for specific users or groups of users, consistent passwords between the *nix and Windows environment,etc. Our environment is a mixture of Linux (suse, RH, Debian), Sun, IBM, HP and MPRAS as well as a NETAPP. So whatever we use must be totally inclusive to all environment.

    We have looked at Likewise, but our management wants other alternatives to compare with.

    What other things should I be looking at and what is you assessment of the alternative?

    Thanks

  • user1283002
    user1283002 almost 14 years
    My general experience is that VAS is a nightmare when it comes to the things you expect (packages new PAM modules, Kerberos is a little off), but it works. As far as I know, though, it won't work with NetApps.
  • Aaron Copley
    Aaron Copley over 13 years
    Not familiar with VAS... but Centrify works with NetApp.
  • user9517
    user9517 almost 12 years
    Welcome to Server Fault! We really do prefer that answers contain content not pointers to content. Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
  • squareborg
    squareborg over 11 years
    Be careful with SUA is depricated in Win8 and Server 2012 it will not be available after them.
  • voretaq7
    voretaq7 over 11 years
    @Shutupsquare I imagine there will be a replacement for it (or a third-party AD<-->NIS gateway), but honestly in a modern environment LDAP integration and the POSIX extensions to AD are really the way to go.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What are the other alternative to test a LDAP connection on linux machine
How to do ldapsearch with multiple filters?
Using ldapbind to Authenticate
How to join an Active Directory with a Linux machine
Find out my bind DN in a Windows network
How to get Linux users list from LDAP
How do I enable group enumeration on a Linux server that is using LDAP to connect to an AD server?
How to determine the Kerberos realm from an LDAP directory?
ldapquery an Active Directory server for users that belongs to a group named X
Password Self-serve Active Directory via LAMP environment