Good points Craig. I can see you are a true "administrator" where you think in systemic terms and context is everything.
Black and White (good bad) simplistic and linear thinking is not the moniker of the seasoned administrator.
LDAP is a good, well developed and heavily implemented tool. It's not too complex, nor overkill, it's just foriegn and unfamilar if you are used to a simple database for LTS or kerberos passwords. [Beware if you see yourself or others devolve to bad/good thinking after going past something they don't understand or when confronted with a simple complex yet unfamilar technology. We each learn to troubleshoot through our own ego defenses - such thinking is a defense, that must be treated in context.] LDAP is simple (and secure) when implemented well, especially when changing passwords on diverse systems is required for PCI compliance every two months!
I also prefer to use a well supported solution:
1) LTS uses postgresql
2) LDAP is available for this LTS postgresql solution.
Here's the definitive guide for hammering down LDAP, noting defaults for use, etc.
http://eatingsecurity.blogspot.com/2008/11/openldap-security.html
www.Obnosis.com |
http://en.wiktionary.org/wiki/Citations:obnosis | (503)754-4452
January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3PM
> Subject: Re: ****Re: ****Re: Linux Administration - Users in (any) database howto/why...
> From: craigwhite@azapple.com
> To: plug-discuss@lists.plug.phoenix.az.us
> Date: Fri, 2 Jan 2009 17:29:06 -0700
>
> On Fri, 2009-01-02 at 16:40 -0700, Joe wrote:
> > Good point on TLS. The /etc/ldap.secret is where I had the problem. If
> > you put that file on an end users machine, wouldn't they be able to boot
> > into single user mode or sudo and read that file? Doesn't that file
> > provide the keys to the kingdom? Once you have full read access to the
> > directory. can't you read all the user id's and hashes and gain access
> > to every other system? Sorry if this was already a hackfest activity and
> > I missed it.
> ----
> sure...but if you can boot into runlevel 1, you simply make a user copy
> of /etc/shadow and run a password cracker on that - should be trivial
> enough to get root password from that too.
>
> Awful easy to boot Windows with CD that resets local Administrator
> password too.
>
> Basically, a computer is an insecure device unless locked in a closet
> where no hands can touch and no network to access it.
>
> Craig
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
_________________________________________________________________
Life on your PC is safer, easier, and more enjoyable with Windows Vista®.
http://clk.atdmt.com/MRT/go/127032870/direct/01/---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss 
(text/plain)