****Re: Linux Administration - Users in (any) database howto/why...
Joe
joe at nationnet.com
Fri Jan 2 16:40:20 MST 2009
Good point on TLS. The /etc/ldap.secret is where I had the problem. If
you put that file on an end users machine, wouldn't they be able to boot
into single user mode or sudo and read that file? Doesn't that file
provide the keys to the kingdom? Once you have full read access to the
directory. can't you read all the user id's and hashes and gain access
to every other system? Sorry if this was already a hackfest activity and
I missed it.
>
Craig White wrote:
>
> ----
> ssl support as far as I know, has always been part of LDAP but it has
> mostly been deprecated in favor of using TLS. I know that Red Hat
> systems still launch both the ldap and ldaps listeners and if you use
> TLS, you don't use the ldaps connection. This actually makes sense
> because if you 'bind' via encryption, the rest of the data does not need
> to incur the overhead of encryption.
>
>
> If you intend to use the system for user authentication, you will have
> to create /etc/ldap.secret, chmod it to 0600 and embed a suitable
> password that allows you access. Since you have to be root to read the
> file, I am not certain what your reservations are because if you are
> root, you certainly can do much more than read the LDAP password.
>
>
> Craig
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
More information about the PLUG-discuss
mailing list