Re: [nssldap] nss_ldap, tls_key, and nscd

[Howard Chu <hyc [at] highlandsun.com>]

Chris Adams wrote:
> Once upon a time, Howard Chu<hyc@highlandsun.com>  said:
> > Chris Adams wrote:
> > > Once upon a time, Howard Chu<hyc@highlandsun.com>   said:
> > > > Chris Adams wrote:
> > > > > Is there any way around this?
> > > >
> > > > Not using nss_ldap. Use nss-ldapd or OpenLDAP's nssov instead.
> >
> > > Hmm.  Well, my servers are RHEL 5 (and some still RHEL 4), so I need to
> > > try to use nss_ldap if at all possible.
> >
> > Why? Those other packages will also work perfectly well on RHEL.
>
> nss_ldap is _included_ in RHEL, so Red Hat packages it, maintains it,
> tracks security and bug issues, etc.

Ah, great. So you can just ask RHEL about this problem and they'll solve it 
for you. Cool.

> Currently, they are only "public" to the limited number of people that
> can access the systems.  These are systems that are providing various
> Internet services; they aren't behind any firewalls or such.  Right now,
> the Internet can't tell the valid users from the invalid (which is one
> level of security).  If the directory services are feeding users,
> groups, and IDs to the Internet, that's a lot of information that is not
> otherwise public.

If you have private information on a machine residing on a public network, you 
have bigger problems than just "how does nss-ldap connect to my server." 
Private data should be behind a firewall. At the very least you need a router 
that rejects packets with bogus source addresses. (I.e., drops externally 
generated packets whose source addresses match internal network numbers.) Once 
that's in place, you can use tcp_wrappers on the LDAP server if you want 
finer-grained host access control.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/