Laziness extends to authentication and authorization systems, too. At my last job, we started out with five or so primary systems that people needed access two, and a bunch of supporting systems that nobody logged into directly. It was, at the time, no big deal to go ahead and create an account for someone on those five or so machines. That changed over the course of a year or so, when we suddently had 20, 30 and then more systems people needed to use, depending on what they were doing. Had we the foresight, we would have set up something back in the early days to centralize the management and control of user and group accounts. Where I am now, there’s at least NIS to tie everything together. It’s not the most robust technology for a network, but it does the job and will keep doing the job until we get around to LDAP.

LDAP, though, is truly the “bee’s knees”, as all the cool kids are saying these days. (I would call it the cat’s pajamas, but I did that and all the student workers looked at me like I had three heads. Cerberus, or Kerberos, depending on who you ask and whether or not you’re at MIT, has three heads, but that’s another article.) Right off the bat, LDAP offers some important things over NIS that make me positively giddy in anticipation.

First, given appropriate access rights, you can update an LDAP master from anywhere, over the network, securely. This means we can divorce our user creation tools from the “master” server and run them, well, anywhere. This means we no longer have to run them as root. This means we don’t have to have people log on to our master server directly (which is a security risk) to maintain user accounts. We can make a web-based tool if we really wanted to (and I think we do.)

Second, we can restrict it on both the servers and the clients so that LDAP connections only ever go over SSL links. This is, in and of itself, enough of a reason to move to LDAP over NIS in our security-concious world, and I’d be lying if I said it wasn’t at least part of our reason for moving to it.

Third, we can enforce unix “shadow” password expiration policies. I can’t find a way to do this in NIS, though it may be as simple as creating a “shadow” NIS map.

So, you can think of it being the perfect Lazy solution. With a bit of work, you can drastically reduce your workload while, at the same time, helping out your security situation a bit. Hell, I’ll take that any day!

This entry was posted on Sunday, April 2nd, 2006 at 5:32 pm and is filed under General Geekery, Life, Method. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.