We've implemented an LDAP to NIS solution and have begun transitioning some systems to native LDAP binding for authentication and automount maps. Unfortunately we have a very mixed environment with more than 20 *nix environments. The setup for each variant is of course unique and has required various workarounds to get full functionality. We're now at the point where we're willing to revisit the solution and possibly migrate toward something like Likewise (http://www.likewise.org), but would like to know what others are using to solve this problem.
SnapOverflow
@Avery,
This is essentially what Likewise Open does. It makes use of Kerberos (via PAM) to authenticate the user. It also provides NSSWITCH modules to perform SID->ID mapping (using various algorithms, some LDAP based, some hash based).
It has several advantages over plain old pam_krb5:
Cheers,
Manny Vellon CTO, Likewise
I used to have 40ish Linux servers, all with local authentication. Life was hell.
I finally solved the problem by building an Active Direcotry infrastructure and implementing Likewise Open to authenticate all of my machines (plus samba, ftp, jabber, and half a dozen web apps).
Now I've got 80-100 servers all using the same authentication and my users love it (but not nearly as much as I do).
I have never once regretted using Likewise. I talked about it so much on my blog that they sent me a T-shirt!
We have "solved" the problem by standardizing on RHEL/CentOS. That solves a boatload of other portability problems as well.
As for LDAP, we use it too, but the interface between ldap and NSS is far from perfect (same goes for any other network service). If I had the time, I'd look into deploying nsscache instead of
nss_ldap. Or maybe even replacepam_ldapandnss_ldapwith winbind, to better integrate with our windows environment (likewise is a variant of winbind, no?).many companies are using Likewise and it is working very well. We had around 20 Servers using native users and we moved to Likewise and life is a lot simpler.