Re: [nssldap] nss_ldap, tls_key, and nscd
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: [nssldap] nss_ldap, tls_key, and nscd
- From: Howard Chu <hyc [at] highlandsun.com>
- To: Chris Adams <cmadams [at] hiwaay.net>, nssldap [at] padl.com
- Subject: Re: [nssldap] nss_ldap, tls_key, and nscd
- Date: Wed, 19 Aug 2009 13:54:49 -0700
Chris Adams wrote:
Once upon a time, Howard Chu<hyc@highlandsun.com> said:
Chris Adams wrote:
Is there any way around this?
Not using nss_ldap. Use nss-ldapd or OpenLDAP's nssov instead.
Hmm. Well, my servers are RHEL 5 (and some still RHEL 4), so I need to
try to use nss_ldap if at all possible.
Why? Those other packages will also work perfectly well on RHEL.
I guess lots of other people are using nss_ldap; how do you control
access to the LDAP server(s)? Just using IP-based filters (host
firewalls, router ACLs, etc.)?
You're asking the wrong question. The point of using a distributed directory
is to make information widely accessible. As such, if you don't want
information to be accessible, it probably doesn't belong in a directory in the
first place.
As for information used by nss-ldap - Guillaume asked a good question - what
information are you exposing here that needs to be protected? Usernames and id
numbers are public information already. User passwords should never be exposed
via nss-ldap; there is no legitimate use for that. Authentication (and
authorization) should be performed at the server. I.e., use pam_ldap and
configure it to Bind to LDAP in order to handle authentication.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/