[mythtv-users] [SLIGHTLY-OT] LDAP vs NIS vs NFS

Brad Fuller bradallenfuller at gmail.com
Thu Jul 3 20:55:00 UTC 2008


On Thu, Jul 3, 2008 at 1:36 PM, Paul Bender <pebender at san.rr.com> wrote:
> Brad Fuller wrote:
>> I'm always having to make sure the uid and gid's are the same for NFS
>> on all my boxes and it's a pain everytime I add a box. I read
>> somewhere that NIS would be a better way to go, that I wouldn't have
>> to worry about that. Anyone using NIS? Is LDAP a better way to go. I
>> see it's much more secure, but from my investigations it sure looks
>> tough installing.
>>
>> Any help would be much appreciated
>>
>> (it would seem that this is OT, but I would imagine many here are
>> running multiple FE and BEs)
>
> I use LDAP for authentication and authorization on my network. All
> services (e.g. PAM, IMAP, SMTP, LDAP and RADIUS) use LDAP.
>
> I did it for convenience. Once it is set up, it is more convenient to
> have all services throughout the network use the same database. A user
> can have a single account. Each LDAP account is granted access to the
> services to which the user is allowed access.
>
> The initial LDAP configuration as well as the initial configuration of
> each service to use LDAP is somewhat tedious/troublesome. In the past, I
> had to patch certain software packages. However, as time passed and the
> patches made it into the upstream packages, more applications/daemons
> began to support LDAP out-of-the-box.
>
> For NFS, I do not believe that it is any more secure. As long as the
> attacker can add a host to the network, the attacker can configure the
> host to use a UID/GID that is allowed NFS access. However, it can be
> more convenient.
>
> There was a time that I included LDAP support in MiniMyth because I use
> LDAP throughout my network. However, I decided that it was not worth the
> extra software. It did not make the NFS mounts more secure and it did
> change the fact that the MythTV protocol is not secure. Since the
> dedicated MiniMyth frontends have only one user, it was relatively easy
> to make sure that the UID/GID matched across the network.

So, you can confirm that using LDAP I don't have to worry about
UID/GIDs across boxes? It would seem so since everything is housed on
LDAP server(s). Do you have more than one server? I'm sorta thinking
that if one goes down, I'd need another server. What if all LDAP
servers go down? Can you still log on to clients?

> _______________________________________________
> mythtv-users mailing list
> mythtv-users at mythtv.org
> http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users
>



-- 
Brad Fuller
www.bradfuller.com


More information about the mythtv-users mailing list