Integrate LDAP into NIS

Question

I have the task to implement a LDAP service for the typical use cases: User authentication, storing more information on users, storing information on machines, etc.

Currently, we have a working NIS system in conjunction with NFS for Linux workstations. Windows machines do not participate and this is one reason, next to a bunch of other systems starting with email, for the change to LDAP.

The main issue, however, is that we are part of a much larger system which will stay with NIS for now. Some users not part of our department work with us and therefore need to log in into our system. Also, it is possible for our users to log in into other systems. These are case-to-case situations however: We explicitely invite somebody into our system or vice-versa.

As I'm just starting with this, could you please give me some hints on:

What would be the preferred method of letting users from NIS log-in into our Linux machines with LDAP authentication? Is it possible/advisable to use LDAP and NIS side by side (like files ldap nis in nsswitch.conf)
What would be the preferred method of exporting our LDAP user data to the NIS system?

I am aware of the PADL software. However, we prefer to stay with open source software. Proprietary solutions are especially a no-go for the other side of the system.

Edit: Additional constraint! Sorry, I forgot to explicitely mention this. One important aspect is that user ids are in a given range so they do not conflict with the ones from other systems incorporated into the NIS. I don't know how user ids are generated with LDAP, perhaps you can give me an insight on this one as well. Thanks!

score 2 · Accepted Answer · answered Jul 27 '09 at 14:35

2

I suggest you look into PAM on the Linux-side of things. There you can define authentication and authorization in chains with all sorts of tricks. Ex. first attempt login using local /etc/passwd, then LDAP, finally NIS. Or the other way around. You can then hook up SSH, GDM, Apache2, etc. to use that.

answered Jul 27 '09 at 14:35

Morten Siebuhr

639
1
6
16

2

LDAP does not define new users itself - you have to do everything yourself, including assigning UID's. – Morten Siebuhr Jul 27 '09 at 15:34

score 1 · Answer 2 · answered Jul 27 '09 at 14:40

1

In theory there should be no problem with using both NIS and LDAP for both NSS and PAM. You would have to consider which service is used first, to deal with the case of overlapping usernames. It should be a case of setting up NSS as you've suggested. PAM will be a little more complicated. I believe that with NIS, authentication just falls back to using the unix pam module.

answered Jul 27 '09 at 14:40

David Pashley

23,151
2
41
71

So would you say that changing the login configuration on both sides to include LDAP would already fix the problem? Then do you know what makes a use-case for software like the PADL gateway? Just other systems than Linux (not only PAM+NSS)? – ypnos Jul 27 '09 at 14:48
1

My guess is that it's used for devices that can't talk LDAP. As for uids, PADL also do some nice scripts for manipulating users in ldap. You would just need to define a range for them to use. – David Pashley Jul 27 '09 at 15:59
Thank you very much for your help. I decided to give Morten the accepted answer as it is his first. – ypnos Jul 28 '09 at 12:03

Integrate LDAP into NIS

2 Answers2