[K12OSN] LDAP login nightmare

[David Trask]

"Support list for opensource software in schools." <k12osn at redhat.com> on
Wednesday, August 3, 2005 at 5:01 PM +0000 wrote:
>An some more info.  If I comment out ALL access control statements in
>slapd.conf and also stop nscd, then logins with ldap accounts work.  BUT
>this can't be good. And given that I don't have TLS active, I am probably
>just begging for trouble if I leave the system this way.  I would at
>least like to have some access control on the ldap database.  
>
>Sincerely,
>Dave Hopkins

Ok...now I'm confused.  You say you used Matt's and my script, but then
you mention about commenting out the ACL stuff in slapd.conf.  Unless you
modified it....it was already commented out.  We have not yet implemented
the ACL stuff yet, I have a working prototype, but Matt has not yet
integrated it and we have not tested it.  As for security...you're no
worse off than you were previously...it's still reasonably secure.  I've
been using it that way for a couple years now.  You should not expose your
Samba/LDAP server to the outside world via the Internet....so long as
you're behind a firewall....your fine for now.  If you want to visit the
IDEALX.org site and read up about it...you can implement TLS and so forth,
but it's NOT for the faint of heart.  I looked at it initially and finally
decided that there comes a point where I have to draw a line between how
secure I want to be and how hard I want to work.  :-)  Keep a good backup
of /home and /profiles and you'll be pretty safe.  :-)

We'll work on getting the ACL's in place....but for now...don't fret.



David N. Trask
Technology Teacher/Coordinator
Vassalboro Community School
dtrask at vcsvikings.org
(207)923-3100