Subject: Re: pullup security/pam-ldap update to 2005Q2?
To: Geert Hendrickx <firstname.lastname@example.org>
From: David Stipp <email@example.com>
Date: 09/08/2005 08:49:58
On Thu, Sep 08, 2005 at 12:04:33PM +0200, Geert Hendrickx wrote:
> Ok then. I was just looking into LDAP authentication and I noticed that
> the version in 2005Q2 is vulnerable. But anyway, I think I can better go
> with Kerberos, right?
I think that Kerberos is probably a better direction to head. One of the
big problems IMO is the fact that LDAP is a bit harder to secure than
Kerberos. Yes, you can use ACLs and SSL to secure LDAP, but in the end
LDAP is for public data... Kerberos, well, is not. :-)
So, why not use Kerberos for passwords, and LDAP or NIS for NSS
I found this site really useful/informative:
``Replacing NIS with Kerberos and LDAP HOWTO''
In addition, kerberos is a pre-req for things like kerberized NFS,
NFSv4, OpenAFS, and other things. Once you have kerberos setup, you can
setup ssh to allow for authentication via your tickets. Throw in
mod_auth_kerb and you can get SSO web applications. (That howto goes
through kerberizing OpenLDAP.) Once you get all your applications
kerberized, as long as you have a ticket you could SSO everywhere.
David Stipp <firstname.lastname@example.org>