Mailing List Archive: MythTV: Users

[SLIGHTLY-OT] LDAP vs NIS vs NFS

Index | Next | Previous | View Threaded

bradallenfuller at gmail

Jul 3, 2008, 1:14 PM

Post #1 of 7 (556 views)
Permalink

[SLIGHTLY-OT] LDAP vs NIS vs NFS

I'm always having to make sure the uid and gid's are the same for NFS
on all my boxes and it's a pain everytime I add a box. I read
somewhere that NIS would be a better way to go, that I wouldn't have
to worry about that. Anyone using NIS? Is LDAP a better way to go. I
see it's much more secure, but from my investigations it sure looks
tough installing.

Any help would be much appreciated

(it would seem that this is OT, but I would imagine many here are
running multiple FE and BEs)

thanks,

--
Brad Fuller
www.bradfuller.com
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

pebender at san

Jul 3, 2008, 1:36 PM

Post #2 of 7 (538 views)
Permalink

Re: [SLIGHTLY-OT] LDAP vs NIS vs NFS [In reply to]

Brad Fuller wrote:
> I'm always having to make sure the uid and gid's are the same for NFS
> on all my boxes and it's a pain everytime I add a box. I read
> somewhere that NIS would be a better way to go, that I wouldn't have
> to worry about that. Anyone using NIS? Is LDAP a better way to go. I
> see it's much more secure, but from my investigations it sure looks
> tough installing.
>
> Any help would be much appreciated
>
> (it would seem that this is OT, but I would imagine many here are
> running multiple FE and BEs)

I use LDAP for authentication and authorization on my network. All
services (e.g. PAM, IMAP, SMTP, LDAP and RADIUS) use LDAP.

I did it for convenience. Once it is set up, it is more convenient to
have all services throughout the network use the same database. A user
can have a single account. Each LDAP account is granted access to the
services to which the user is allowed access.

The initial LDAP configuration as well as the initial configuration of
each service to use LDAP is somewhat tedious/troublesome. In the past, I
had to patch certain software packages. However, as time passed and the
patches made it into the upstream packages, more applications/daemons
began to support LDAP out-of-the-box.

For NFS, I do not believe that it is any more secure. As long as the
attacker can add a host to the network, the attacker can configure the
host to use a UID/GID that is allowed NFS access. However, it can be
more convenient.

There was a time that I included LDAP support in MiniMyth because I use
LDAP throughout my network. However, I decided that it was not worth the
extra software. It did not make the NFS mounts more secure and it did
change the fact that the MythTV protocol is not secure. Since the
dedicated MiniMyth frontends have only one user, it was relatively easy
to make sure that the UID/GID matched across the network.
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

bradallenfuller at gmail

Jul 3, 2008, 1:55 PM

Post #3 of 7 (538 views)
Permalink

Re: [SLIGHTLY-OT] LDAP vs NIS vs NFS [In reply to]

On Thu, Jul 3, 2008 at 1:36 PM, Paul Bender <pebender[at]san.rr.com> wrote:
> Brad Fuller wrote:
>> I'm always having to make sure the uid and gid's are the same for NFS
>> on all my boxes and it's a pain everytime I add a box. I read
>> somewhere that NIS would be a better way to go, that I wouldn't have
>> to worry about that. Anyone using NIS? Is LDAP a better way to go. I
>> see it's much more secure, but from my investigations it sure looks
>> tough installing.
>>
>> Any help would be much appreciated
>>
>> (it would seem that this is OT, but I would imagine many here are
>> running multiple FE and BEs)
>
> I use LDAP for authentication and authorization on my network. All
> services (e.g. PAM, IMAP, SMTP, LDAP and RADIUS) use LDAP.
>
> I did it for convenience. Once it is set up, it is more convenient to
> have all services throughout the network use the same database. A user
> can have a single account. Each LDAP account is granted access to the
> services to which the user is allowed access.
>
> The initial LDAP configuration as well as the initial configuration of
> each service to use LDAP is somewhat tedious/troublesome. In the past, I
> had to patch certain software packages. However, as time passed and the
> patches made it into the upstream packages, more applications/daemons
> began to support LDAP out-of-the-box.
>
> For NFS, I do not believe that it is any more secure. As long as the
> attacker can add a host to the network, the attacker can configure the
> host to use a UID/GID that is allowed NFS access. However, it can be
> more convenient.
>
> There was a time that I included LDAP support in MiniMyth because I use
> LDAP throughout my network. However, I decided that it was not worth the
> extra software. It did not make the NFS mounts more secure and it did
> change the fact that the MythTV protocol is not secure. Since the
> dedicated MiniMyth frontends have only one user, it was relatively easy
> to make sure that the UID/GID matched across the network.

So, you can confirm that using LDAP I don't have to worry about
UID/GIDs across boxes? It would seem so since everything is housed on
LDAP server(s). Do you have more than one server? I'm sorta thinking
that if one goes down, I'd need another server. What if all LDAP
servers go down? Can you still log on to clients?

> _______________________________________________
> mythtv-users mailing list
> mythtv-users[at]mythtv.org
> http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users
>

--
Brad Fuller
www.bradfuller.com
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

drescherjm at gmail

Jul 3, 2008, 2:03 PM

Post #4 of 7 (538 views)
Permalink

Re: [SLIGHTLY-OT] LDAP vs NIS vs NFS [In reply to]

> So, you can confirm that using LDAP I don't have to worry about
> UID/GIDs across boxes?
Users have the same UID/GID on each machine.

> It would seem so since everything is housed on
> LDAP server(s). Do you have more than one server?
At work I have a few ldap servers (only one at home). You need to
setup synchrepl to synchronize between servers. Its pretty easy after
you get the first server up.
> I'm sorta thinking
> that if one goes down, I'd need another server. What if all LDAP
> servers go down? Can you still log on to clients?
>
Not unless the passwords are in /etc/passwd and this will also cause
delay problems.

John
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

ross.campbell at gmail

Jul 3, 2008, 2:20 PM

Post #5 of 7 (526 views)
Permalink

Re: [SLIGHTLY-OT] LDAP vs NIS vs NFS [In reply to]

On Thu, Jul 3, 2008 at 1:14 PM, Brad Fuller <bradallenfuller[at]gmail.com> wrote:
> I'm always having to make sure the uid and gid's are the same for NFS
> on all my boxes and it's a pain everytime I add a box. I read
> somewhere that NIS would be a better way to go, that I wouldn't have
> to worry about that. Anyone using NIS? Is LDAP a better way to go.

Tons of organizations are using NIS ... and planning to migrate to
LDAP. If you're not already running NIS, go straight to LDAP.

Just remember that all of your other systems will become dependent on
your LDAP server for auth and that it will become a critical service
for your home systems. You'll probably want more than one LDAP server.
The line between a bunch of computers at home and a 'production home
datacenter' can get hard to define.

There are tons of howtos for just about every distro that explain how
to setup up an LDAP server using OpenLDAP and configure your clients.
At the same time, you may want to configure samba as a primary domain
controller and let any Windows boxes you have share common logins.

> I see it's much more secure

Well, ldap won't automatically make NFS more secure by itself, however
creating netgroups in LDAP and managing your exports lists centrally
can make NFS more secure. Hooking your sudoers file into LDAP so you
can manage sudo privileges centrally could make your environment more
secure... but that's another topic.

> it sure looks tough installing.

ldap is a lot more than just a centralized /etc/passwd file ...
Here's a good summary that's not too confusing -
https://help.ubuntu.com/community/OpenLDAPServer

-Ross
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

whitem at arts

Jul 3, 2008, 7:12 PM

Post #6 of 7 (519 views)
Permalink

Re: [SLIGHTLY-OT] LDAP vs NIS vs NFS [In reply to]

Brad Fuller wrote:
> I'm always having to make sure the uid and gid's are the same for NFS
> on all my boxes and it's a pain everytime I add a box. I read
> somewhere that NIS would be a better way to go, that I wouldn't have
> to worry about that. Anyone using NIS? Is LDAP a better way to go. I
> see it's much more secure, but from my investigations it sure looks
> tough installing.

I use LDAP at work and at home. I have used NIS in the past - as others
have said, if you're not already doing NIS, don't bother. LDAP is "the
way of the future" (ooh!)

I just wanted to point you at a very helpful set of tools for getting
started with LDAP. Check out smbldap-tools...it makes it very easy to
set up a basic LDAP tree for Linux and Samba authentication, and
provides you with easy scripts to manage users & groups.

Project Page:
https://gna.org/projects/smbldap-tools/

Documentation:
http://www.iallanis.info/smbldap-tools/docs/smbldap-tools/

SAMBA LDAP howto (also includes Linux auth for ssh, login, etc):
http://www.iallanis.info/smbldap-tools/docs/samba-ldap-howto/

To increase availability, you can replicate it across more than one
machine. At work, I do, but at home - meh. Back your ldap database up
frequently (see the slapcat command), anyways.

--
Matt White whitem[at]arts.usask.ca
Arts and Science Computer Labs University of Saskatchewan

_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

pebender at san

Jul 3, 2008, 7:37 PM

Post #7 of 7 (517 views)
Permalink

Re: [SLIGHTLY-OT] LDAP vs NIS vs NFS [In reply to]

Matt White wrote:
> Brad Fuller wrote:
>> I'm always having to make sure the uid and gid's are the same for NFS
>> on all my boxes and it's a pain everytime I add a box. I read
>> somewhere that NIS would be a better way to go, that I wouldn't have
>> to worry about that. Anyone using NIS? Is LDAP a better way to go. I
>> see it's much more secure, but from my investigations it sure looks
>> tough installing.
>
> I use LDAP at work and at home. I have used NIS in the past - as others
> have said, if you're not already doing NIS, don't bother. LDAP is "the
> way of the future" (ooh!)
>
> I just wanted to point you at a very helpful set of tools for getting
> started with LDAP. Check out smbldap-tools...it makes it very easy to
> set up a basic LDAP tree for Linux and Samba authentication, and
> provides you with easy scripts to manage users & groups.

Yes, the smbldap-tools can be very useful. Especially when you want to
make your Linux+Samba server into a Microsoft Windows domain controller.

The mention of these tools made me think of something else that I
encountered when converting my home network to LDAP.

For those venturing into using LDAP, be sure you familiarize yourself
with the difference between IETF RFC-2307 and IETF RFC-2307bis. While
IETF RFC-2307bis never made it beyond the IETF ID
draft-howard-rfc2307bis-01.txt (at least as far as I know), it is
relatively well supported and more flexible than IETF RFC-2307. For my
home network, I chose to follow defacto standard 2307bis rather than
actual standard (technically RFC) 2307. If you decide to go with
2307bis, then you will want a 2307bis OpenLDAP schema file.

It was the differences between 2307 and 2307bis that caused me to create
patches for certain services/daemons (i.e. SASL and RADIUS). Thankfully,
these patches have become part of the upstream packages. Therefore, as
long as you are using versions at least as new as the versions in RHEL5,
the patches are included.
_______________________________________________
mythtv-users mailing list
mythtv-users[at]mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com