[SAGE] NIS/LDAP/NIS+ fest (Re: Unix displacement)

[Chuck Yerkes <chuck+sage@snew.com>]

Quoting Mick Sheppard (mick@tbcs.co.uk):
> Quoting Brad Knowles <brad.knowles@skynet.be>:
...
> First a history lesson - in the dawn of time (1/1/1970) we had flat files and 
> these sufficed quite a while. Then along came networks and NFS in particular. 
> NFS authentication was UID based so some method of maintaining UIDs cross 
> system was needed and Yellow Pages (renamed to NIS because of a British Telecom 
> copyright in the UK) was born. 

Utter trivia, but "UK trademark" AFAIK, is a recognized across
many (most) nations.  IANAL, but I believe it covered US at least.
And it came to light not when BT called Sun on it, but when an
overacheiving, soon-to-be-former Sun legal person called BT and
said "We're using the term Yellow Pages to cover this; this isn't
a problem with you is it?"

As far as a I know this is how it went.  If it varied, then this
is my contributution to urban legend.  Correct it here.



> This had serious problems of scalability a 
> security and was subnet based but was implemented by everyone.
It had few scalability problems.  And yes, I've seen 20 interface
Sparc 10s (many QFEs) with a "foot in many subnets".
I used YP/NIS maps pushed out across very large WANs.
I advocated Hesiod for that, but SunOS is closed source and Sun
wasn't very reactive.

> In the 
> early '90s Sun unveiled Solaris 2 and with it NIS+. A more complex version of 
> NIS with security, replication, delegation and binary databases. This was not 
> generally adopted and remained almost solely a Sun thing.

Partly because of MASSIVE scalability and control problems.  Even
with access to Sun.  You have a server 2 meters away on a gigabit
link and another server over a 56k line in Denver and your client
will bind to EITHER of the servers.  I saw a 56k line go from 5%
use to 100% when NIS+ was put into use for 1 day before it was
pulled back.  Seems nobody thought about something like resolv.conf
where I can make it start to use a local machine.

(I've also had well intentioned Sun consultants ask if I'd use
DNS over NIS+ for hosts - "do you really think DNS scales for infrastructure?"
I offered that after the first 4 million machines, I didn't really know).


Re: the rest.
LDAP takes a bit to understand.  It's a bear to setup the first
time.  Schema files hurt the uninitiated brain - like the first
time you setup a named zone file.  Once it's there, thought, with
the right indices is scales MASSIVELY.  I don't trust the security
of a large complex program like this, but I also run databases
which I don't trust.  Don't run exposed LDAP servers and take the
usual precautionary measures.

For queries, it's like the key -> value that DNS (and NIS) offer.
But I can make complex "key" type queries.

Show me the users where the "businessGroup=MIS" and the startDate
is after 01/01/2000 and their desk Location is in Building 14.


A printing front end might make a pseudo query like:
  Show me the printers for Location is Building 14 and Floor is 3
  and Use is "Public"
and get a list of nearby printers to pop them up for the user's selection.

I can store the NIS maps in it.  I can store ID photos, SSL public
keys, mail information, etc, etc.  I can restrict perhaps the dorm
and room info of students to only administrators.  I could, but
wouldn't, store HR information like salary, etc.  It's supposedly
secure with ACLs.  I view that risk is not worth the benefit.

Phone books (forward and reverse) are simple scripts.
My mail agents (mutt, mozilla, eudora, etc) can use it.
 In mozilla, I can type "ch" into the TO field and get a popup of
all users who start with "ch".


None of this works with NIS or NIS+.

NIS+, like NetInfo, was a proprietary effort with good intent
and not much industry adoption.  LDAP works with MS and Mac and
Unix.  Maybe even "Open" VMS?