Re: [nssldap] nss_ldap, tls_key, and nscd

[Chris Adams <cmadams [at] hiwaay.net>]

Once upon a time, Howard Chu <hyc@highlandsun.com> said:
> Chris Adams wrote:
> >Once upon a time, Howard Chu<hyc@highlandsun.com>  said:
> >>Chris Adams wrote:
> >>>Is there any way around this?
> >>
> >>Not using nss_ldap. Use nss-ldapd or OpenLDAP's nssov instead.
> 
> >Hmm.  Well, my servers are RHEL 5 (and some still RHEL 4), so I need to
> >try to use nss_ldap if at all possible.
> 
> Why? Those other packages will also work perfectly well on RHEL.

nss_ldap is _included_ in RHEL, so Red Hat packages it, maintains it,
tracks security and bug issues, etc.

> >I guess lots of other people are using nss_ldap; how do you control
> >access to the LDAP server(s)?  Just using IP-based filters (host
> >firewalls, router ACLs, etc.)?
> 
> You're asking the wrong question. The point of using a distributed 
> directory is to make information widely accessible. As such, if you don't 
> want information to be accessible, it probably doesn't belong in a 
> directory in the first place.
> 
> As for information used by nss-ldap - Guillaume asked a good question - 
> what information are you exposing here that needs to be protected? 
> Usernames and id numbers are public information already.

Currently, they are only "public" to the limited number of people that
can access the systems.  These are systems that are providing various
Internet services; they aren't behind any firewalls or such.  Right now,
the Internet can't tell the valid users from the invalid (which is one
level of security).  If the directory services are feeding users,
groups, and IDs to the Internet, that's a lot of information that is not
otherwise public.

-- 
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.