[mythtv-users] [SLIGHTLY-OT] LDAP vs NIS vs NFS
Paul Bender
pebender at san.rr.com
Thu Jul 3 20:36:07 UTC 2008
Brad Fuller wrote:
> I'm always having to make sure the uid and gid's are the same for NFS
> on all my boxes and it's a pain everytime I add a box. I read
> somewhere that NIS would be a better way to go, that I wouldn't have
> to worry about that. Anyone using NIS? Is LDAP a better way to go. I
> see it's much more secure, but from my investigations it sure looks
> tough installing.
>
> Any help would be much appreciated
>
> (it would seem that this is OT, but I would imagine many here are
> running multiple FE and BEs)
I use LDAP for authentication and authorization on my network. All
services (e.g. PAM, IMAP, SMTP, LDAP and RADIUS) use LDAP.
I did it for convenience. Once it is set up, it is more convenient to
have all services throughout the network use the same database. A user
can have a single account. Each LDAP account is granted access to the
services to which the user is allowed access.
The initial LDAP configuration as well as the initial configuration of
each service to use LDAP is somewhat tedious/troublesome. In the past, I
had to patch certain software packages. However, as time passed and the
patches made it into the upstream packages, more applications/daemons
began to support LDAP out-of-the-box.
For NFS, I do not believe that it is any more secure. As long as the
attacker can add a host to the network, the attacker can configure the
host to use a UID/GID that is allowed NFS access. However, it can be
more convenient.
There was a time that I included LDAP support in MiniMyth because I use
LDAP throughout my network. However, I decided that it was not worth the
extra software. It did not make the NFS mounts more secure and it did
change the fact that the MythTV protocol is not secure. Since the
dedicated MiniMyth frontends have only one user, it was relatively easy
to make sure that the UID/GID matched across the network.
More information about the mythtv-users
mailing list