Subject: Re: pullup security/pam-ldap update to 2005Q2?
To: Geert Hendrickx <>
From: David Stipp <>
List: tech-pkg
Date: 09/08/2005 08:49:58
On Thu, Sep 08, 2005 at 12:04:33PM +0200, Geert Hendrickx wrote:
> Ok then.  I was just looking into LDAP authentication and I noticed that
> the version in 2005Q2 is vulnerable.  But anyway, I think I can better go
> with Kerberos, right?  

I think that Kerberos is probably a better direction to head. One of the
big problems IMO is the fact that LDAP is a bit harder to secure than
Kerberos. Yes, you can use ACLs and SSL to secure LDAP, but in the end
LDAP is for public data... Kerberos, well, is not. :-)

So, why not use Kerberos for passwords, and LDAP or NIS for NSS

I found this site really useful/informative:
``Replacing NIS with Kerberos and LDAP HOWTO''

In addition, kerberos is a pre-req for things like kerberized NFS,
NFSv4, OpenAFS, and other things. Once you have kerberos setup, you can
setup ssh to allow for authentication via your tickets. Throw in
mod_auth_kerb and you can get SSO web applications. (That howto goes
through kerberizing OpenLDAP.) Once you get all your applications
kerberized, as long as you have a ticket you could SSO everywhere.


David Stipp <>