RE: ****Re: Linux Administration - Users in (any) database h…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M--\Craig White at <-
M+\MJoe at ->
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: plug-discuss
Subject: RE: ****Re: Linux Administration - Users in (any) database howto/why...

sldap is available for gentoo, FedoraCore/Redhat/Centos, SLES/SUSE, Ubuntu/Debian.

While it all uses encryption, many clients and server LDAP implementations include various exploits and on a shared network LDAP (and NIS) are sent clear text.

Modern TSL is used in OpenLDAP, but can be trivially decrypted, with John/Crypt - hence the Layer 3 switch or VLAN exclusion.

It is all very easy to integrate with AD, mail and httpd.

www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | (503)754-4452
January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3 


> Subject: Re: ****Re: Linux Administration - Users in (any) database    howto/why...
> From: 
> To: 
> Date: Fri, 2 Jan 2009 13:24:20 -0700

>
> On Fri, 2009-01-02 at 13:09 -0700, Joe wrote:
> > Craig,
> >
> > Thanks for the info on FreeIPA. It sounds like you have quite a bit of
> > experience with LDAP. Maybe you can answer some questions.
> >
> > In the past when I tried to configure LDAP with nsswitch, I remember
> > that I had to put the Admin credentials in a file in /etc. Also, at the
> > time ldap did not support ssl ( it was a long time ago :-) )
> >
> > Can LDAP be used on client systems now where the credentials are secure?
> > I didn't like the idea of having basically the root password in
> > cleartext on every system. The same goes for using ldap to authenticate
> > to an apache server. I would like to try again, but last time I spent
> > weeks on getting it configured and found it easy to basically own the
> > ldap server.
> ----
> ssl support as far as I know, has always been part of LDAP but it has
> mostly been deprecated in favor of using TLS. I know that Red Hat
> systems still launch both the ldap and ldaps listeners and if you use
> TLS, you don't use the ldaps connection. This actually makes sense
> because if you 'bind' via encryption, the rest of the data does not need
> to incur the overhead of encryption.
>
> If you intend to use the system for user authentication, you will have
> to create /etc/ldap.secret, chmod it to 0600 and embed a suitable
> password that allows you access. Since you have to be root to read the
> file, I am not certain what your reservations are because if you are
> root, you certainly can do much more than read the LDAP password.
>
> Craig
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

_________________________________________________________________
Send e-mail faster without improving your typing skills.
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-[OT] Re: Linux AdministrationRe: ****Re: Linux Administration - Users in (any) databasehowto/why...->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)