On Sat, 2009-01-03 at 02:48 +0000, Lisa Kachold wrote:
> Here's the definitive guide for hammering down LDAP, noting defaults
> for use, etc.
> http://eatingsecurity.blogspot.com/2008/11/openldap-security.html
----
I'd hardly call it a definitive guide to hammering down LDAP when there
are only 2 ACL's. I think a better handle for that URL is some thoughts
about securing LDAP.

It makes me absolutely insane that the only way to set the bind password
for samba is via a command line 'smbpasswd -w SOME_STINKIN_PASSWORD' so
you have to clear history after performing such a command.

For the most part, I have found it useful to allow anonymous binds for
virtually everything except self access to userPassword, sambaNTPassword
and sambaLMPassword.

That way, all shared Address Books, all the various clients such as
Postfix, Cyrus-IMAPd, etc. can get what they need without any
credentials laying around and obviously try to require all
authentication to happen via encrypted connections...which means that
you have to educate users on how to get very stupid client applications
like Outlook to accept self-signed certs, which means that I create
certificates with long usage times and sort of is just a PITA.

I'm not sure which is worse, devices like an iPhone which just happily
accepts just about any cert without much of a fuss or Firefox 3 which
freaks people out when presented a self-signed cert.

Craig

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss