[K12OSN] LDAP login nightmare

dahopkins at comcast.net dahopkins at comcast.net
Wed Aug 3 21:54:45 UTC 2005


> "Support list for opensource software in schools." <k12osn at redhat.com> on
> Wednesday, August 3, 2005 at 5:01 PM +0000 wrote:
> >An some more info.  If I comment out ALL access control statements in
> >slapd.conf and also stop nscd, then logins with ldap accounts work.  BUT
> >this can't be good. And given that I don't have TLS active, I am probably
> >just begging for trouble if I leave the system this way.  I would at
> >least like to have some access control on the ldap database.  
> >
> >Sincerely,
> >Dave Hopkins
> 
> Ok...now I'm confused.  You say you used Matt's and my script, but then
> you mention about commenting out the ACL stuff in slapd.conf.  Unless you
> modified it....it was already commented out.  We have not yet implemented
> the ACL stuff yet, I have a working prototype, but Matt has not yet
> integrated it and we have not tested it.  As for security...you're no
> worse off than you were previously...it's still reasonably secure.  I've
> been using it that way for a couple years now.  You should not expose your
> Samba/LDAP server to the outside world via the Internet....so long as
> you're behind a firewall....your fine for now.  If you want to visit the
> IDEALX.org site and read up about it...you can implement TLS and so forth,
> but it's NOT for the faint of heart.  I looked at it initially and finally
> decided that there comes a point where I have to draw a line between how
> secure I want to be and how hard I want to work.  :-)  Keep a good backup
> of /home and /profiles and you'll be pretty safe.  :-)
> 
> We'll work on getting the ACL's in place....but for now...don't fret.
> 

I had a working Samba/LDAP (based on Samba 2.2.x) with ACL's already in place and cut/pasted them onto my slapd.conf file since this was supposed to be a simple move to Samba 3 (simple, yea?).  This is part of the problem apparently. It may have something to do with SELinux in Fedora core 4. However, the nscd still has me a little confused, but ... since my understanding is that this just speeds up the search, it isn't going to kill me at present.  

I also had TLS working, but have forgotten how I did so (it has been two years) Anyhow, at present, I will live with the security issues.  Thanks for the encouragement and experience with running 'wide open'.  

Thanks again.
Dave Hopkins






More information about the K12OSN mailing list