Replacement for NIS/YP

unix linux active-directory ldap nis

The company that I am working for is embarking on replacing the current locally developed NIS/YP structure with LDAP.

We already have AD in house for the Windows stuff and would like to consider using an AD system. The AD people are quite restrictive and would not support extensive modifications.

We have needs to have the replacement include the support the full capabilities of the NIS/YP suite include netgroups, login restrictions to specific servers for specific users or groups of users, consistent passwords between the *nix and Windows environment,etc. Our environment is a mixture of Linux (suse, RH, Debian), Sun, IBM, HP and MPRAS as well as a NETAPP. So whatever we use must be totally inclusive to all environment.

We have looked at Likewise, but our management wants other alternatives to compare with.

What other things should I be looking at and what is you assessment of the alternative?

Thanks


Microsoft used to have something called Services For Unix (It's still around but with a different name: It's now "Subsystem for UNIX-based Applications (SUA)") -- Among the features it included was an AD-to-NIS gateway that allows you to create a NIS domain that is effectively slaved to your AD domain.
This is probably the the path of least resistance for you since your unix environment is heterogeneous -- Anything that understood NIS will understand the MS NIS server, because as far as your unix systems are concerned it's still just a plain old NIS server.

Another option is pam_ldapd (or pam_ldap + nss_ldap) -- This would query against your AD servers directly & gets away from some of the limitations of NIS, but I don't know how good the netgroup support and such is on these (I know pam_ldap + nss_ldap doesn't have working netgroup support on FreeBSD).


you could try freeipa (http://freeipa.org) from the redhat folks. It is meant to replace nis/yp and it gives you a kerberized environment as a bonus. Of course you can just plug clients with just pam_ldap, but you lose then the single sign-on.

You can also synchronize users with AD, by the way.


Given you already have AD in house I recommend considering freeipa/Redhat IDM set up as a trusted domain of active directory. Besides being free, this allows you to use all existing user & group information in AD, while setting access controls and policies in ipa.

You also get kerberos & sso potential. Ipa in this setup presents ad groups as netgroups (like nis).

It comes with a nice web gui, and internal role based access control (eg who can join hosts to the kerberos realm, who can manage sudo etc).

Any client should be able to authenticate against either ipa or AD.

QAS (either version) is an ideal solution in my opinion except for the cost, which can be insane. It also requires a schema change to AD, which itself is fine but your AD guys might not like that.

The newer versions of winbind are much more stable than 3.x, but require you to have access policies (sudo, ssh) configured on each host.

I can't speak for centrify.

Related

Help configuring talk/talkd
How do I log authentication attempts with samba?
How do I log SSH port forwards?
What Command(s) List a User's System Permissions in Linux?
For an internal cluster, is it good idea to use IPv6?
Linux RAID-0 performance doesn't scale up over 1 GB/s
How to know currently open ports on the Windows Firewall?
How secure is Remote Desktop Connection?
Is it safe to replicate from Solaris ZFS to FreeBSD ZFS?
Cannot join Win7 workstations to Win2k8 domain
SQL Server transaction log BACKUPS are very large
Test for Localhost in Powershell?