Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We're switching authentication from NIS to LDAP. I'm new to Linux so I'm not sure how this is going to affect our group. We're told the process will change the id associated with files but that it should be fairly transparent as our user names will stay the same. New passwords, but other than that, no big effect. LDAP will only be used for authentication, other uses of NIS will remain intact.
A systems team is doing the switch. I'm with an application programming team. I'm not new to programming so I'm not 100% believing the story.
We use NFS mounts extensively (even for our home directories so that it shows up the same regardless of machine logged into) so there is a timing issue there. It will have to be all at once.
I'm guessing sudo to a non-root user will be transparent?
Am I missing anything? There has to be a gotcha hiding somewhere.
It's always * possible* that someone has deployed something in a weird way that will break, but in a well managed environment, it won't make any difference.
the system has no idea where the user names come from. the list of users is built but nss and returned to any application that needs it in a way that says nothing at all about where it came from. Run "getent passwd" and that's your list. Part lcoal file sources, part NIS, part LDAP etc.
Similarly for the authentication (you say it's ONLY authentication but I presume you actually mean user information AND authentication). Again here for auth, PAM will handle the authentication in most instances. An app authenticates to the OS and the OS then takes that request and does whatever it sees fit. The app doesn't need to care.
Thanks, Chris. That was informative. I'm new to Linux and didn't know about getent. One area I thought might be a problem was where code would take credentials and try to authenticate, to the database for example. It sounds like the OS will take care of hiding the source. I was thinking the code might need to know NIS vs LDAP. I'm not familiar with that part. Maybe this will be as easy as they suggest?
The project is large and our group isn't scheduled for the change until a couple of months from now. We'll get to see how the other groups fared and hopefully the gotcha items will have been figured out by the time they get to us. I just wanted to get ahead of the situation.
It's not as easy as it sounds. LDAP is merely a repository of data. There is more client and auth semantics built into NIS by default.
So.. in general, when people say "LDAP handles auth", that that means is that a successful authenticated bind means auth. So... unlike NIS (in general, because again LDAP is a general purpose repo), LDAP doesn't contain your password in either encrypted or hashed form... that happens a function of the service to "bind" to the LDAP server... really has nothing to do with LDAP data.
UID changes are always a pain. So hopefully they'll do their home work on that one.
But the real gotcha is handling NIS client side. Sure, you can disable the use of NIS password by effectively nuking the hashes with invalid base64... and yet still allow "passwd" for identities... but it's possible they are taking out both passwd and group tables altogether... which will limit the things you can do with NIS greatly. If not, if they are smart to just nuke the hashes, you still have a minor sync issue required to make sure the NIS tables are updated with relevant data from LDAP. All is doable of course (again, if they know what they are doing).
It's also possible they might be using some sort of weird "bridge" thing.
I'm rambling a bit, but I cannot over emphasize the potential conundrum on the NIS client side. NIS does it all. LDAP doesn't because semantics are really built in. Now it's possible they have semantics around LDAP data that they are deploying... but it's all custom at that point (though there are some common deployed semantic patterns out there, but many cause more problems because they claim "standards", but don't work with vendor specific LDAP implementations (which forces an all or nothing convert to.. for example... OpenLDAP on all clients).
In short, having done this many times.. it's NOT as simple as some make it sound... Those that claim simplicity usually mean that your going to lose some features.... just saying.
It's not as easy as it sounds. LDAP is merely a repository of data. There is more client and auth semantics built into NIS by default.
So.. in general, when people say "LDAP handles auth", that that means is that a successful authenticated bind means auth. So... unlike NIS (in general, because again LDAP is a general purpose repo), LDAP doesn't contain your password in either encrypted or hashed form... that happens a function of the service to "bind" to the LDAP server... really has nothing to do with LDAP data.
Right. We're using a customized LDAP so a local password file is used. That file is updated by the LDAP processes. That lets us keep local systems accounts out of LDAP.
Quote:
Originally Posted by cjcox
UID changes are always a pain. So hopefully they'll do their home work on that one.
They claim to have handled this well in the past on similar projects.
Quote:
Originally Posted by cjcox
But the real gotcha is handling NIS client side. Sure, you can disable the use of NIS password by effectively nuking the hashes with invalid base64... and yet still allow "passwd" for identities... but it's possible they are taking out both passwd and group tables altogether... which will limit the things you can do with NIS greatly. If not, if they are smart to just nuke the hashes, you still have a minor sync issue required to make sure the NIS tables are updated with relevant data from LDAP. All is doable of course (again, if they know what they are doing).
It's also possible they might be using some sort of weird "bridge" thing.
As above.
Quote:
Originally Posted by cjcox
I'm rambling a bit, but I cannot over emphasize the potential conundrum on the NIS client side. NIS does it all. LDAP doesn't because semantics are really built in. Now it's possible they have semantics around LDAP data that they are deploying... but it's all custom at that point (though there are some common deployed semantic patterns out there, but many cause more problems because they claim "standards", but don't work with vendor specific LDAP implementations (which forces an all or nothing convert to.. for example... OpenLDAP on all clients).
In short, having done this many times.. it's NOT as simple as some make it sound... Those that claim simplicity usually mean that your going to lose some features.... just saying.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.