Re: Using nss-pam-ldapd in a large environment, Part 2: Denial of Service due to open connections

[Thomas Orgis <thomas.orgis [at] uni-hamburg.de>]

Am Sun, 19 Jul 2015 18:28:57 +0200
schrieb Arthur de Jong <arthur@arthurdejong.org>:

> > What kind of operations need root? That would be nice to know.
> 
> There are currently only two places:
> 
> - shadow and passwd results will only include the password hash if the
>   caller is root and the userPassword is explicitly mapped
> - the rootpwmodpw option is only used when the caller is root

Fair enough. So, in our setup, it should be fine to run socat as
non-root, as we do not deal with passwords from LDAP at all (just ID
and group lookup).

> Apparently it is possible to tune slapd to be pretty lean and just do
> caching.

Yes, I presume so. For now, I simply activated nscd with small lifetime
for name/groups only on the client nodes (for network addresses, it
proved to be rather annoying instead of useful in the past). I actually
tried to configure a central nscd and have it forwarded via socat, but
that just creates a fork bomb on the client (at some idle hour, I might
figure out why).

For proper centralized caching, slapd would be it. Although the idea of
having the database-agnostic caching of nscd looked rather UNIX-y to me …

> nslcd.conf has a nss_initgroups_ignoreusers as well as nss_min_uid
> which may be helpful in your situation.

Yes, thanks. I discovered nss_min_uid in the meantime. It is indeed
there if you look for it in the man page;-)


Alrighty then,

Thomas

-- 
Dr. Thomas Orgis
Universität Hamburg
RRZ / Zentrale Dienste / HPC
Schlüterstr. 70
20146 Hamburg
Tel.: 040/42838 8826
Fax: 040/428 38 6270

Attachment: smime.p7s
Description: S/MIME cryptographic signature

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/