Although many administrators consider LDAP to be more secure than Network Information Service (NIS), it isn’t as functional. One of the biggest limitations is that users might not be able to change their passwords, depending on the versions of Pluggable Authentication Modules (PAM), Name Service Switch (NSS), and LDAP. In the configuration steps I outline, only openSUSE users can change their passwords. This limitation has implications in environments in which passwords are configured to expire periodically--UNIX and Linux users will need to log on to Windows systems to change their passwords.

Another limitation is that UNIX and Linux clients might not recognize users when they use commands such as ls or id. The system might instead display a user ID (UID).

In addition, users might find that GUI environments don’t work as expected. This is a limitation of desktop environments, which can’t query LDAP directories correctly. In many cases, the problems and solutions are documented—but they tend to be desktop and platform specific.

As more users seek to integrate UNIX and Linux clients with Windows Active Directory (AD), more robust solutions for these clients will likely be developed. But LDAP is a good interim solution, and many of its problems can be prevented if you allow anonymous access to AD using the LDAP protocol, and if you make the ldap.conf file used by PAM and NSS world-readable. Keep in mind that both of these resolutions carry risks—especially making the ldap.conf file world-readable, which gives users access to credentials that can be used to log on to AD.