Re: YP alternatives

To: "Aaron J. Grier" <agrier%poofygoof.com@localhost>, NetBSD Users's Discussion List <netbsd-users%netbsd.org@localhost>
Subject: Re: YP alternatives
From: "Greg A. Woods" <woods%planix.com@localhost>
Date: Fri, 18 Dec 2009 16:34:43 -0500

At Thu, 17 Dec 2009 15:43:25 -0800, "Aaron J. Grier" 
<agrier%poofygoof.com@localhost> wrote:
Subject: YP alternatives
> 
> On Wed, Dec 16, 2009 at 03:24:23PM -0500, Greg A. Woods wrote:
> > At Wed, 16 Dec 2009 23:53:09 +0700, Robert Elz 
> > <kre%munnari.OZ.AU@localhost> wrote:
> > > Unlike printf(), malloc() etc, I think YP is worth being trashed.
> > > Its usefulness is zero, which really is limited.  But never mind...
> > 
> > Indeed.  I turned off USE_YP and MKYP after I turned off my last running
> > SunOS-4 machine many years ago, and I have not looked back.
> 
> what are my options for centralized (or distributed) user/login
> credentials across a group of NetBSD-running machines aside from YP?

That's a good question!

My answer is that "It Depends".  :-)

What I've done in the past for sites where managing accounts on multiple
machines grows beyond the abilities of any sane administrator to use
"cut&paste" style management is to use a central management system of
some kind, or even just to do all management on one core system directly
in the normal ways (vipw, etc.), and then on all other systems I set up
scripts which regularly pull necessary information from the central
system (or database) and automatically update their password files,
config files, etc.  Some of this can be done with existing tools even,
such as cfengine.  Push-style updates work well too, depending on the
specific needs of the site and the systems in question.

I really don't like the idea, any more, of using real-time network
access to control authentication and authorisation, but then I haven't
had to deal with sites with hundreds or thousands of machines which need
to have consistent A&A either in many years, and back then I did use YP.

I suppose Kerberos could still be a viable solution -- it's a heck of a
lot better in design (and I think implementation), than YP/NIS is, and
it's even got hints of covering more platforms than just Unix-like ones
too.

-- 
                                                Greg A. Woods
                                                Planix, Inc.

<woods%planix.com@localhost>       +1 416 218 0099        http://www.planix.com/

Attachment: pgpf2Qf43iuxC.pgp
Description: PGP signature

References:
- YP alternatives
  - From: Aaron J. Grier

Prev by Date: Re: About wiki.netbsd.org
Next by Date: Re: Netgear FA411
Previous by Thread: Re: YP alternatives
Next by Thread: utmp_update explosion
Indexes:

Home | Main Index | Thread Index | Old Index