Sorry Craig, I had to jump in again. smbpasswd -w drives you crazy? From the Eating Security page, this is what I was talking about eariler: "Another file with a plain text password is /etc/ldap.secret. This file must contain the rootdn password in plain text, but is again somewhat mitigated with file permissions." Help me out here. Doesn't that basically mean that the root id and password will be in that file and all apps that use the directory service can be compromised if that file is compromised? i.e. a vulnerability in virus scanner, web server, email server, .... I think there is some really good information on that page and want to explore it further. I would love to have a centralized ldap server that if one of the apps were compromised, all the others could remain safe. I totally agree that one would need more than 2 ACL's, but those are hard to write properly and understand the ramifications. Craig White wrote: > On Sat, 2009-01-03 at 02:48 +0000, Lisa Kachold wrote: > >> Here's the definitive guide for hammering down LDAP, noting defaults >> for use, etc. >> http://eatingsecurity.blogspot.com/2008/11/openldap-security.html >> > ---- > I'd hardly call it a definitive guide to hammering down LDAP when there > are only 2 ACL's. I think a better handle for that URL is some thoughts > about securing LDAP. > > It makes me absolutely insane that the only way to set the bind password > for samba is via a command line 'smbpasswd -w SOME_STINKIN_PASSWORD' so > you have to clear history after performing such a command. > > For the most part, I have found it useful to allow anonymous binds for > virtually everything except self access to userPassword, sambaNTPassword > and sambaLMPassword. > > That way, all shared Address Books, all the various clients such as > Postfix, Cyrus-IMAPd, etc. can get what they need without any > credentials laying around and obviously try to require all > authentication to happen via encrypted connections...which means that > you have to educate users on how to get very stupid client applications > like Outlook to accept self-signed certs, which means that I create > certificates with long usage times and sort of is just a PITA. > > I'm not sure which is worse, devices like an iPhone which just happily > accepts just about any cert without much of a fuss or Firefox 3 which > freaks people out when presented a self-signed cert. > > Craig > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss