On Sat, May 19, 2012 at 9:47 PM, Dan White <y...@comcast.net> wrote: > In my experience, replacements for NIS are things like LDAP and DNS > > While Puppet can help with the implementation, IMHO it cannot do the actual > work of any of these services.
I tend to agree with Dan on this one. I am a fan of LDAP for user/group management and DNS for name resolution. However to play devil's advocate lets pick apart some of what NIS does for you and what Puppet could do to replace NIS. > Or did I misunderstand the question ? I also wonder if I understand the question correctly but I'm going to try to tackle it anyway. :) > On May 19, 2012, at 7:51 PM, ConradL wrote: >> Hi folks -- >> >> Does anyone out there have experienced replacing NIS, using puppet? >> If so, can you kindly share to me some advise, gotchas, and whatnot, >> etc... NIS can be used for a bunch of databases, ethers, netmasks, networks etc... I assume though that you are referring to passwd, shadow, group and hosts so lets consider those. User/Group Management (passwd, shaddow, group) - See the User and Group types. http://docs.puppetlabs.com/references/stable/type.html#user http://docs.puppetlabs.com/references/stable/type.html#group Pros (of using puppet): - No dependence on LDAP/NIS server - No firewall rules, no fiddling with LDAP+TLS or LDAPS - Perhaps more responsive (maybe not given other services like nslcd, sssd, nscd) - There are lots of tools for password synchronization between different directories Cons: - No central failed login tally. Sure you can deploy pam_tally to limit failed login attempts but any attempt to brute force a password would get [# of attempts] * [# of hosts an account is on]. - Delay to add/remove users is dependant on how often hosts retrieve their catalogs. For new users this is inconvenient, but for disabling users this can be a concern. - Sure puppet is auditable but if you use something like pam_groupdn with LDAP finding out who can login to your servers is a simple query with most directory servers "ldapsearch -x isMemberOf=cn=linuxaccess,dc=example,dc=com" - If you wanted to do password policying you'd have to check password strength/length before letting puppet deploy the hash. This is generally just a feature of a LDAP directory. Naming (hosts) - See the puppet Host type or File type if you just want to manage the whole file as one unit http://docs.puppetlabs.com/references/stable/type.html#host http://docs.puppetlabs.com/references/stable/type.html#file Pros (of using puppet): - Exported resources would be an easy win to get hosts into /etc/hosts, but if you used puppet to manage bind you could get the same effect - Like before no dependence on another server, no firewall rules etc - In theory more responsive than DNS, but DNS is pretty fast and using things like nscd or local caching resolver that's moot Cons: - You'll probably still need DNS anyway... Unless you have a completely isolated environment you'll probably need DNS for something anyway. - Like before, naming updates are dependant on your puppet catalog compilations Those things said. I can reasons why one might use puppet to manage users/groups over LDAP and hosts over DNS. In an environment where: - users/groups don't change frequently - there was no need for DNS for other things (mail, service location etc) - the hosts were built/destroyed frequently (think ec2 or other cloud provider) - network access to such services was problematic (think ec2 or other provider) it might in fact be make sense to use Puppet to manage some of what you would use NIS for. Hope that helps and I'd be glad to keep discussing. -Alan >> Thanks in advance for your help .... >> >> -Conrad > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
