After the untimely death of NIS (née YP) and NIS+ has there been any work in a distributed authentication (and not only) system under Unix beyond Kerberos? It seems that now you “distribute accounts by ansible” which makes an old hand like me cringe. LDAP has been mentioned to me but nothing lightweight which doesn’t stink of committee meetings or mis-guided devops has turned up since?
@cynicalsecurity So I use both Kerberos and LDAP at home, in fact I have 3 separate kerberos domains at home (yes, I know I am not normal). NIS certainly had its elegance in simplicity and LDAP has its issues, but it works pretty well together. I am happy to give pointers and howtos. My setup tends to be a bit BigIron ™️
@cynicalsecurity wow, removed in 5.6, TIL (2014).. listed as improving security; Curious to hear more about that.
LDAP; great question, and yeah to be totally honest it is (at best) an awkward fit with the Unix philosophy. Really it comes down a few things.
1. There really isn't anything else to securely distribute this information.
1/2
3. lots of things just expect LDAP for this and natively integrate. Things like redmine, trac, etc (see also account adjacent information). Without LDAP each one of these winds up having its own separate user db that then needs to be managed separately.
That's it, I promise!