[K12OSN] Samba/LDAP how-to in OO format
ghenry at suretecsystems.com
Wed Jun 16 21:10:18 UTC 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Wednesday 16 Jun 2004 21:22, Christopher K. Johnson wrote:
> Gavin Henry wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >On Wednesday 16 Jun 2004 03:28, David Trask wrote:
> >>here's the Samba LDAP how-to in OO format
> >I have 3 points and one request:
> >1. The backend ldap should be bdb not ldbm (discussed very indepth on the
> >OpenLDAP lists).
> >2. You should really have access controls on the LDAP database, as anyone
> > can hen read your hashed password over the wire, unless, which I didn't
> > notice, you only have the LDAP server listening on localhost?
> >3. You should be using TLS.
> >4. Could you do a wee conclusion, rounding everything off.
> >Would you mind if some of us add the 3 points above in?
> >Lastly, this is great document and must of taken you ages. ALl it needs is
> >someone to start this of, then others can help.
> >Due you mind if I forward this to the fedora-docs list as they can do all
> > this for us?
> All good suggestions, some of which David and I have already discussed.
> He expressed to me that he wanted to first get it working, and then go
> back and work to incorporate better security such as you have
> indicated. Thanks for working to move this along with other doc folks
> in implementing them.
No, you are right, It is the right way to do it, and then progress to the
No problems with the docs. By the way, I have seen the HTML version on his
site, is David's mostly original? Does he have the OO version of it?
It's just it has all the references and conclusion/intro etc, to make it a
> Re 1. In that case why is bdb not the default in slapd.conf as provided
> by the FC2 openldap-servers rpm?
> I suspect that David simply used what
> was there, not changing the backend. I'm not trying to disagree - just
> to point out that if this is now the standing recommendation then in
> addition to changing the how-to it should be changed in the slapd.conf
> provided by the rpm.
I totally agree and will start voicing this in the fedora-devel list.
> Re 2. Definitely, although the issue is actually whether ldap directory
> users have query or update access to other users' hashed passwords. The
> over the wire comment relates to the TLS recommendation.
Agreed, but with no access controls what so ever, then anyone can query them,
not just the rootdn.
> Re 3. Definitely.
> Other points:
> 5. The smbldap-tools provided by the FC2 samba rpm under
> /usr/share/samba-n.n.n/LDAP/smbldap-tools are out of date. They should
> either be brought current, or removed and placed in a separate
> smbldap-tools rpm _included_ in FC2 distro with a pre-requisite of the
> perl-LDAP rpm, which in turn requires other perl- rpms. I believe this
> change would avoid the need for any of the CPAN steps, and allow
> installing the smbldap-tools from the FC2 distro.
Agreed, I think this is due for a massive upgrade.
> 6. The how-to should include using slappasswd to create a good password
> hash for inclusion within slapd.conf in lieu of the default password.
> 7. Yum would work just as well as apt. Perhaps alternative commands for
> updating and installing rpms either way would make the how-to equally as
> friendly to people who prefer yum.
> I hope the community does remedy all those points to give this very
> useful document a more robust treatment of security, and make FC2 a
> little less complex to implement samba/ldap on.
It is complicated, but shouldn't be as RPMs are used, if that makes any sense
to a Gentoo user say ;-)
T +44 (0) 1224 587369
M +44 (0) 7930 323266
F +44 (0) 1224 742001
E ghenry at suretecsystems.com
Open Source. Open Solutions.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the K12OSN