Subject: Re: pullup security/pam-ldap update to 2005Q2?
To: David Stipp <firstname.lastname@example.org>
From: Geert Hendrickx <email@example.com>
Date: 09/08/2005 15:53:36
On Thu, Sep 08, 2005 at 08:49:58AM -0500, David Stipp wrote:
> On Thu, Sep 08, 2005 at 12:04:33PM +0200, Geert Hendrickx wrote:
> > Ok then. I was just looking into LDAP authentication and I noticed that
> > the version in 2005Q2 is vulnerable. But anyway, I think I can better go
> > with Kerberos, right?
> I think that Kerberos is probably a better direction to head. One of the
> big problems IMO is the fact that LDAP is a bit harder to secure than
> Kerberos. Yes, you can use ACLs and SSL to secure LDAP, but in the end
> LDAP is for public data... Kerberos, well, is not. :-)
> So, why not use Kerberos for passwords, and LDAP or NIS for NSS
> I found this site really useful/informative:
> ``Replacing NIS with Kerberos and LDAP HOWTO''
> In addition, kerberos is a pre-req for things like kerberized NFS,
> NFSv4, OpenAFS, and other things. Once you have kerberos setup, you can
> setup ssh to allow for authentication via your tickets. Throw in
> mod_auth_kerb and you can get SSO web applications. (That howto goes
> through kerberizing OpenLDAP.) Once you get all your applications
> kerberized, as long as you have a ticket you could SSO everywhere.
Thanks for the link!