****Re: Linux Administration - Users in (any) database howto/why...
Lisa Kachold
lisakachold at obnosis.com
Fri Jan 2 16:49:49 MST 2009
sldap is available for gentoo, FedoraCore/Redhat/Centos, SLES/SUSE, Ubuntu/Debian.
While it all uses encryption, many clients and server LDAP implementations include various exploits and on a shared network LDAP (and NIS) are sent clear text.
Modern TSL is used in OpenLDAP, but can be trivially decrypted, with John/Crypt - hence the Layer 3 switch or VLAN exclusion.
It is all very easy to integrate with AD, mail and httpd.
www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | (503)754-4452
January PLUG HackFest = Kristy Westphal, AZ Department of Economic Security Forensics @ UAT 1/10/09 12-3
> Subject: Re: ****Re: Linux Administration - Users in (any) database howto/why...
> From: craigwhite at azapple.com
> To: plug-discuss at lists.plug.phoenix.az.us
> Date: Fri, 2 Jan 2009 13:24:20 -0700
>
> On Fri, 2009-01-02 at 13:09 -0700, Joe wrote:
> > Craig,
> >
> > Thanks for the info on FreeIPA. It sounds like you have quite a bit of
> > experience with LDAP. Maybe you can answer some questions.
> >
> > In the past when I tried to configure LDAP with nsswitch, I remember
> > that I had to put the Admin credentials in a file in /etc. Also, at the
> > time ldap did not support ssl ( it was a long time ago :-) )
> >
> > Can LDAP be used on client systems now where the credentials are secure?
> > I didn't like the idea of having basically the root password in
> > cleartext on every system. The same goes for using ldap to authenticate
> > to an apache server. I would like to try again, but last time I spent
> > weeks on getting it configured and found it easy to basically own the
> > ldap server.
> ----
> ssl support as far as I know, has always been part of LDAP but it has
> mostly been deprecated in favor of using TLS. I know that Red Hat
> systems still launch both the ldap and ldaps listeners and if you use
> TLS, you don't use the ldaps connection. This actually makes sense
> because if you 'bind' via encryption, the rest of the data does not need
> to incur the overhead of encryption.
>
> If you intend to use the system for user authentication, you will have
> to create /etc/ldap.secret, chmod it to 0600 and embed a suitable
> password that allows you access. Since you have to be root to read the
> file, I am not certain what your reservations are because if you are
> root, you certainly can do much more than read the LDAP password.
>
> Craig
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
_________________________________________________________________
Send e-mail faster without improving your typing skills.
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_speed_122008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090102/7e848552/attachment.htm
More information about the PLUG-discuss
mailing list