Subject: Re: pullup security/pam-ldap update to 2005Q2?
To: David Stipp <dstipp@coolhack.net>
From: Matthias Drochner <M.Drochner@fz-juelich.de>
List: tech-pkg
Date: 09/08/2005 22:40:40
dstipp@coolhack.net said:
> One of the big problems IMO is the fact that LDAP is a bit harder to
> secure than Kerberos

I don't know much about Kerberos (yet), but it took indeed
some time to get LDAP over SASL (using digest-md5) do what I want.

> you can use ACLs and SSL to secure LDAP

Can you comment on SSL vs. SASL for LDAP use? (I don't care about
interoperability with Windows at this point.)
To me, SASL looks more reasonable because it authenticates per-user,
not per-machine.

> LDAP is for public data... Kerberos, well, is not

Agreed, generally. But I haven't seen a weak spot in my setup
forcing SASL authentication for the UserPassword.
I'm quite unexperienced with that stuff...

> kerberos is a pre-req for things like kerberized NFS,
> NFSv4, OpenAFS

Yep -- once started with it, using GSSAPI where possible
makes sense. The HOWTO you mentioned looks pretty useful.

best regards
Matthias