After the untimely death of NIS (née YP) and NIS+ has there been any work in a distributed authentication (and not only) system under Unix beyond Kerberos? It seems that now you “distribute accounts by ansible” which makes an old hand like me cringe. LDAP has been mentioned to me but nothing lightweight which doesn’t stink of committee meetings or mis-guided devops has turned up since?
@cynicalsecurity So I use both Kerberos and LDAP at home, in fact I have 3 separate kerberos domains at home (yes, I know I am not normal). NIS certainly had its elegance in simplicity and LDAP has its issues, but it works pretty well together. I am happy to give pointers and howtos. My setup tends to be a bit BigIron ™️
@cynicalsecurity wow, removed in 5.6, TIL (2014).. listed as improving security; Curious to hear more about that.
LDAP; great question, and yeah to be totally honest it is (at best) an awkward fit with the Unix philosophy. Really it comes down a few things.
1. There really isn't anything else to securely distribute this information.
1/2
2. There's an ever-growing amount of 'account adjacent' information that needs to be coordinated; I use it for the kerberos keys themselves (so I actually don't have a separate KDC database, the KDC uses LDAP), the KDC then throws a bunch of other information onto the account that it actually cannot even do with its native DB
2/3
@cynicalsecurity
3. lots of things just expect LDAP for this and natively integrate. Things like redmine, trac, etc (see also account adjacent information). Without LDAP each one of these winds up having its own separate user db that then needs to be managed separately.
That's it, I promise!