Subject: Re: pullup security/pam-ldap update to 2005Q2?
To: David Stipp <email@example.com>
From: Matthias Drochner <M.Drochner@fz-juelich.de>
Date: 09/08/2005 22:40:40
> One of the big problems IMO is the fact that LDAP is a bit harder to
> secure than Kerberos
I don't know much about Kerberos (yet), but it took indeed
some time to get LDAP over SASL (using digest-md5) do what I want.
> you can use ACLs and SSL to secure LDAP
Can you comment on SSL vs. SASL for LDAP use? (I don't care about
interoperability with Windows at this point.)
To me, SASL looks more reasonable because it authenticates per-user,
> LDAP is for public data... Kerberos, well, is not
Agreed, generally. But I haven't seen a weak spot in my setup
forcing SASL authentication for the UserPassword.
I'm quite unexperienced with that stuff...
> kerberos is a pre-req for things like kerberized NFS,
> NFSv4, OpenAFS
Yep -- once started with it, using GSSAPI where possible
makes sense. The HOWTO you mentioned looks pretty useful.