14

I'm setting up a small LAN for my team. It will, for all intents and purposes, not be connected to any external networks. I would like it to have centralized control of user accounts (at least, I think I'd like that; I'm also considering using puppet, so theoretically I could just push /etc/passwd changes, or something). The number of machines is fixed, but not very small. Mostly they're 'attached' to a single user, but sometimes people work remotely on someone else's box; and there are a couple of servers.

I've read this question, but my scenario is much simpler (even simpler than in this question) and I'd like to do something (relatively) quick, with not much hassle, but not a dirty totally-insecure hack. Is NIS relevant for my scenario? If not, what's the most hassle-free way to set up LDAP (or LDAP+Kerberos) to achieve the same?

Notes:

  • I have no experience with setting up either NIS or LDAP.
  • We use Debian-flavored Linux distributions, mainly Kubuntu 12.04 (not my choice, but that's the way it is).
Community
  • 1
einpoklum
  • 1,652
  • 3
  • 21
  • 31

2 Answers2

20

I don't think anybody uses NIS anymore - or at least, wants to.

The fastest and easiest way to get a nice LDAP+Kerberos environment up is FreeIPA. It's easy and light enough that I even use it at home.

Red Hat's Identity Management Guide is a great introduction to FreeIPA and will get you up and running quickly.

Note that while Ubuntu has FreeIPA, the version in 12.04 LTS is older and may have bugs or missing features compared to more recent versions.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • From looking at the website, I'm worried it might be tied to RedHat'ish distributions (RHEL, CentOS, Fedora) distributions. Is this true? – einpoklum Nov 01 '13 at 07:38
  • It's available for Debian and Ubuntu, but why would anybody be using those? :) – Michael Hampton Nov 01 '13 at 07:42
  • 1
    It does look better supported on RHEL/CentOS. When setting up something as critical as an identity management service, it might be advisable to use the best-supported distribution, regardless of what the client machines are using, IMHO. – mpontillo Nov 01 '13 at 07:44
  • @Mike: The server's distro is not my choice, and I can't/don't want to use a dedicated server (or virtual server) for this. – einpoklum Nov 01 '13 at 08:08
  • @einpoklum For a group of your size, the whole setup is small and light enough to fit in a 512MB RAM virtual machine with room left over. There's little reason not to do so. – Michael Hampton Nov 01 '13 at 08:14
  • 1
    @MichaelHampton: I am certainly not going to waste 512MB of RAM for a tiny daemon which runs occasionally doing very little. In fact, I'm not setting up VMs for anything on the server (which is in fact a relatively weak and old machine). – einpoklum Nov 01 '13 at 08:19
  • 1
    Maybe if it were really one tiny daemon. You really do need to dedicate a (virtual) machine to this; if you can't or won't, then you shouldn't use FreeIPA. – Michael Hampton Nov 01 '13 at 08:24
  • Ubuntu only has the FreeIPA client packages as far as I'm aware. Or have the server packages finally progressed? – ptman Nov 01 '13 at 09:26
  • @MichaelHampton: Why would I need to dedicate a server to this? Other than to have a RedHat-flavor distro? – einpoklum Nov 01 '13 at 11:04
  • 2
    @einpoklum Best practices dictate that the authentication/authorization server *always* be on its own system, which *nobody* logs in to except for normal maintenance. Much like you don't use your AD domain controller for a workstation, you don't use your LDAP/Kerberos/NIS box as a web server. – voretaq7 Nov 11 '13 at 21:34
3

IAR (Internet Account Replication) is what you are looking for. It is mostly a shell script, and it's very easy to use. It uses SSH for transport -- no portmapper/RPC ugliness like NIS, and it uses GPG for verification. It has been used in production on Ubuntu and Redhat. It is no LDAP, so it definitely is not intended for all purposes...but it replaces NIS for most uses, and it is really easy to setup. That said, I'm one of the authors of the quick pretty elegant hack that IAR is, so I might be a tad biased.

The docs, a .deb repo, and online source code browser are available at iar.hcn-inc.com. RPMs and a tarball can be downloaded from sourceforge.net

Peter Fedorow
  • 31
  • 1