sldap is available for gentoo, FedoraCore/Redhat/Centos, SLES/SUSE, Ubuntu/Debian. While it all uses encryption, many clients and server LDAP implementations include various exploits and on a shared network LDAP (and NIS) are sent clear text. Modern TSL is used in OpenLDAP, but can be trivially decrypted, with John/Crypt - hence the Layer 3 switch or VLAN exclusion. It is all very easy to integrate with AD, mail and httpd. www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | (503)754-4452 January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3 > Subject: Re: ****Re: Linux Administration - Users in (any) database howto/why... > From: craigwhite@azapple.com > To: plug-discuss@lists.plug.phoenix.az.us > Date: Fri, 2 Jan 2009 13:24:20 -0700 > > On Fri, 2009-01-02 at 13:09 -0700, Joe wrote: > > Craig, > > > > Thanks for the info on FreeIPA. It sounds like you have quite a bit of > > experience with LDAP. Maybe you can answer some questions. > > > > In the past when I tried to configure LDAP with nsswitch, I remember > > that I had to put the Admin credentials in a file in /etc. Also, at the > > time ldap did not support ssl ( it was a long time ago :-) ) > > > > Can LDAP be used on client systems now where the credentials are secure? > > I didn't like the idea of having basically the root password in > > cleartext on every system. The same goes for using ldap to authenticate > > to an apache server. I would like to try again, but last time I spent > > weeks on getting it configured and found it easy to basically own the > > ldap server. > ---- > ssl support as far as I know, has always been part of LDAP but it has > mostly been deprecated in favor of using TLS. I know that Red Hat > systems still launch both the ldap and ldaps listeners and if you use > TLS, you don't use the ldaps connection. This actually makes sense > because if you 'bind' via encryption, the rest of the data does not need > to incur the overhead of encryption. > > If you intend to use the system for user authentication, you will have > to create /etc/ldap.secret, chmod it to 0600 and embed a suitable > password that allows you access. Since you have to be root to read the > file, I am not certain what your reservations are because if you are > root, you certainly can do much more than read the LDAP password. > > Craig > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss _________________________________________________________________ Send e-mail faster without improving your typing skills. http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008