[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] Pinch me...

Brian Fahrlander <kilroy kamakiriad com> wrote:

LDAP really isn't for authentication.  And a fellow much more
experienced than I has told me many reasons for not doing it, all having
to do with security- both integrity and intrusion.  He suggests using
kerebos instead...but I have no idea how that works, yet.  For what it's

Well, it is and it isn't. As the name suggests, it's a directory service,
but at the moment, it seems to be the best prospect for a single-sign-on
authentication system for the Linux world. I've looked briefly at
alternatives, like using Webmin's "Cluster Users and Groups" feature to
keep servers in synch, using winbind to authenticate against NT domain
controllers, etc. but nothing else allows authentication for logon, from
within Apache, from within Samba, from within Squid, etc. The initial
learning curve is steep, but the payback appears to be substantial.

Now, there's no reason why LDAP can't be implemented to a level of trust
that is appropriate to the environment (I'm assuming we're talking a school
intranet, here). You can implement LDAP over SSL, for example, so that
network traffic is encrypted. Inside the LDAP server, the MD5 of the
password is stored. I'm not sufficiently familiar with the internals of
slapd yet to say how it would prevent an attacker from overwriting your
password with his choice of preconstructed MD5, but I'm sure the developers
have foreseen that.

Kerberos is a bit of a nightmare, by comparison. It's pretty complex,
doesn't have the same level of subsystem integration that LDAP has, and I
seem to recall reading somewhere recently that at least one open-source
project team (OpenSSL?) were dropping support for it as it has proved
problematic for them. Certainly, I've had problems compiling some libraries
under RH9 due to misplaced krb5.h etc.

FWIW, I'd go - in fact, am going - the LDAP route, but with a watchful eye
on the security issues along the way.

Around here (inside the house) I have one machine that gets NFS
exported from one machine's  /nfshomes directory. As long as the users
all have the same userID, everything's beautiful, but I worry that it
might be a security risk.

Yes, NFS is a worry. Anything that runs over the UDP protocol is less
resistant to spoofing, and NFS also depends on the portmapper service which
has a long history of security vulnerabilities. However, again - bearing in
mind the environment - as long as NFS is kept well within the firewall, I
wouldn't lose any sleep over it.

Also, think about your naming convention.

Very true. The school I'm working on atm has a domain name allocated by the
Linux-resistant powers that be. I simply set up a subdomain of that, with
the primary DNS's configured with a forwarders clause that points to the
"offical" DNS's. Our little internal subdomain works just fine, and the
powers-that-be are none the wiser.


--- Les Bell, RHCE, CISSP

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]