RFC: -server packages universe demotions and main promotions

J Jude jmjudeb at gmail.com
Sun Jan 3 18:50:42 GMT 2010


Since demoting NIS seems to be decided, I decided to give LDAP a try.

(Please do not read this message as a flame.
Read it as one sysadmin's reaction on migrating
to LDAP, but I think that my reaction will be a common one.)


What a pain to use!  Practical documentation is hard to find.  There is lots
of information about the LDAP protocol, but not much in the way of how to
replace NIS with LDAP.

The integration between NIS and the system is much tighter than LDAP.
With LDAP, everything seems to be grafted on, requiring special handlers
for autofs, dovecot, etc.

NIS is designed to provide the existing system information to network
clients, so support scripts create information maps from the standard
system files.  LDAP is a repository, so support scripts are confused
between preserving the existing repository, versus updating with current
system information.

IMHO, I think sys admins would be tempted to rsync config files (passwd,
shadow), instead of slogging through LDAP configuration.




On Mon, Dec 7, 2009 at 13:33, Kees Cook <kees at ubuntu.com> wrote:
> On Fri, Dec 04, 2009 at 08:54:47PM +0100, Reinhard Tartler wrote:
>> Mathias Gug <mathiaz at ubuntu.com> writes:
>> > The Ubuntu Server team would like to get your feedback on whether the packages
>> > listed below should be demoted to universe or promoted to main.
>> >
>> > [...]
>> >
>> > == Proposed universe demotion ==
>> >
>> >  # nis
>>
>> Especially in university environments, nis is still really used a lot.
>> At least at the place I work, all our student and employee user
>> databases handled for unix systems are maintained in nis.  True, ldap is
>> superiour in many ways, but unless there is a compelling reason for
>> demoting it, I'd rather have it in main.
>
> NIS is pretty insecure, so it is in everyone's best interest to encourage
> the use of other technologies.  Having it out of main doesn't mean
> it can't be used, it just isn't officially support.  As an example,
> telnetd (inetutils) isn't in main either, but if you really want it,
> you can still use it.
>
> +1 to demote nis.
>
>> >  # racoon
>> >  # ipsec-tools
>>
>> No ipsec support in main at all? Also mandatory for ipv6 AFAIUI.
>
> racoon is from ipsec-tools, so this is the same thing.  I'm still confused
> about this, but it seems that there are very few ways to do ipsec keying.
> I'm for dropping ipsec-tools, given its vulnerability history, but I do
> not have a recommendation for what SHOULD be the supported IPSEC keying
> system.
>
> -Kees
>
> --
> Kees Cook
> Ubuntu Security Team
>
> --
> ubuntu-devel mailing list
> ubuntu-devel at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
>



More information about the ubuntu-devel mailing list