Hi everyone -
the selinux boolean is now called nis_enabled. I think allow_ypbind is still accepted, but not published in the getsebool -a list.
We use ypbind behind a firewall for our linux accounts on a protected subnet (clients: SL7, server: SL6.6) without any problems. It is super easy to set up and maintain for an environment with a thousand accounts, 30 client machines, and many account changes nightly and where we use NFS-mounted home directories. Those qualities make automation with LDAP much more difficult.
I know its security is poor, but here's a few suggestions to help at least a bit with the most onerous security issues:
- restrict uid/gid subset you export
- dont publish the shadow map
- restrict who can connect using the securenets file
If anyone else has any words of wisdom to try to help tighten NIS in these environments (other than 'why are you still using it?') I'd love to hear it.