[mythtv-users] [SLIGHTLY-OT] LDAP vs NIS vs NFS

[Paul Bender]

Brad Fuller wrote:
> I'm always having to make sure the uid and gid's are the same for NFS
> on all my boxes and it's a pain everytime I add a box. I read
> somewhere that NIS would be a better way to go, that I wouldn't have
> to worry about that. Anyone using NIS? Is LDAP a better way to go. I
> see it's much more secure, but from my investigations it sure looks
> tough installing.
> 
> Any help would be much appreciated
> 
> (it would seem that this is OT, but I would imagine many here are
> running multiple FE and BEs)

I use LDAP for authentication and authorization on my network. All 
services (e.g. PAM, IMAP, SMTP, LDAP and RADIUS) use LDAP.

I did it for convenience. Once it is set up, it is more convenient to 
have all services throughout the network use the same database. A user 
can have a single account. Each LDAP account is granted access to the 
services to which the user is allowed access.

The initial LDAP configuration as well as the initial configuration of 
each service to use LDAP is somewhat tedious/troublesome. In the past, I 
had to patch certain software packages. However, as time passed and the 
patches made it into the upstream packages, more applications/daemons 
began to support LDAP out-of-the-box.

For NFS, I do not believe that it is any more secure. As long as the 
attacker can add a host to the network, the attacker can configure the 
host to use a UID/GID that is allowed NFS access. However, it can be 
more convenient.

There was a time that I included LDAP support in MiniMyth because I use 
LDAP throughout my network. However, I decided that it was not worth the 
extra software. It did not make the NFS mounts more secure and it did 
change the fact that the MythTV protocol is not secure. Since the 
dedicated MiniMyth frontends have only one user, it was relatively easy 
to make sure that the UID/GID matched across the network.