Overview of NIS+ to LDAP Migration

Comparing Features and Security Between LDAP-UX and NIS+

NIS+ can hide passwords from users and supports Trusted Mode to offer extensive password and account policies. But, the passwords are sent in clear text format over a network.

With LDAP support, passwords can be hidden from users. Passwords may also be hashed to protect passwords. The LDAP directory server supports UNIX-crypt, SHA, and SSHA hashing methods. Although SASL, Digest-MD5 protects passwords over a network during authentication, it requires passwords to be stored in clear text format in the directory server.

 

Table 1-2 compares security between LDAP-UX and NIS+:

 

Table 1-2

Security Comparison between LDAP-UX and NIS+

 

 

 

 

 

 

 

NIS+ withLDAP-UX

 

SecurityCoexisting with

 

Trusted Mode

 

 

Trusted Mode

 

 

 

 

 

 

 

 

last login reporting

yes

local accounts only

 

 

 

 

 

auditing

yes

yes

 

 

 

 

 

account expiration

yes

a

 

 

 

 

 

administrative account lock

yes

a

 

 

 

 

 

lock account due to max failed

yes

a

 

logins

 

 

 

 

 

 

 

option to disallow null passwords

yes

a

 

 

 

 

 

auto-generated passwords

yes

a

 

 

 

 

 

password history

yes

a

 

 

 

 

 

boot authentication

local accounts only

local accounts only

 

 

 

 

 

lock device due to max failed logins

yes

local accounts only

 

 

 

 

 

time-of-day login restrictions

yes

a

 

 

 

 

 

who last changed the password

yes

a

 

 

 

 

 

long passwords

local accounts only

a

 

 

 

 

Chapter 1

7