can't get OS to use LDAP for accounts
Scott Moseman
smoseman at novolink.net
Mon Mar 3 22:53:43 UTC 2008
I would consider the network topology. If the box is behind a firewall
or access lists, thus iptables being an additional (or internal) means
of defense, I have no problem stopping it temporarily. If the box is
sitting wide open on the Internet, I would probably tinker with the
logging. Considering how much junk I have seen on firewall interfaces
with brand new IPs with no publicized services, I would not put anything
unprotected "out there", even temporarily.
Thanks,
Scott
________________________________
From: redhat-sysadmin-list-bounces at redhat.com
[mailto:redhat-sysadmin-list-bounces at redhat.com] On Behalf Of Richard
Riley
Sent: Monday, March 03, 2008 4:46 PM
To: redhat-sysadmin-list at redhat.com
Subject: RE: can't get OS to use LDAP for accounts
I fully agree that security is priority, but some times it is so much
quicker to determine if iptables or selinux is the culprit by stopping
them just long enough to test and see if the service now works. If it
does, then you know quickly where to concentrate your effort. If
iptables is the culprit, then I would enable logging to help identify
the specifics.
I have found that if I enable logging initially on a busy machine, I may
lose hours searching the log files only to discover that iptables was
not the culprit in the first place.
Richard Riley
Linux System Administrator
Ariba, Inc.
________________________________
From: redhat-sysadmin-list-bounces at redhat.com
[mailto:redhat-sysadmin-list-bounces at redhat.com] On Behalf Of Sutton,
Harry (MSE)
Sent: Monday, March 03, 2008 4:30 PM
To: redhat-sysadmin-list at redhat.com
Subject: Re: can't get OS to use LDAP for accounts
I'm a firm believer that it's never a good idea to shut off security
features to get things working. Significant improvements in the SELinux
administrative and troubleshooting tools make it much easier to get that
working properly without having to disable it.
As for iptables, I think it's a much better idea to enable logging, even
on a temporary basis, to determine which packets are being blocked and
then adding rules to allow them. There's a really good article / short
video in Red Hat Magazine at
http://www.redhatmagazine.com/2007/08/01/video-tip-from-rhces-firewalls/
that explains this really well.
/Harry Sutton, RHCA
Hewlett-Packard Company
Richard Riley wrote:
Try stopping iptables on both machines during the test.
Richard Riley
-----Original Message-----
From: redhat-sysadmin-list-bounces at redhat.com
[mailto:redhat-
sysadmin-list-bounces at redhat.com] On Behalf Of Douglas J
Hunley
Sent: Monday, March 03, 2008 9:34 AM
To: redhat-sysadmin-list at redhat.com
Subject: Re: can't get OS to use LDAP for accounts
On Monday 03 March 2008 09:10:08 Steven Kalisky wrote:
Try turning off SELinux and then test.
SELinux had previously been disabled. That didn't change
anything
:(
--
--
redhat-sysadmin-list mailing list
redhat-sysadmin-list at redhat.com
https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list
--
redhat-sysadmin-list mailing list
redhat-sysadmin-list at redhat.com
https://www.redhat.com/mailman/listinfo/redhat-sysadmin-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/redhat-sysadmin-list/attachments/20080303/f66902eb/attachment.htm>
More information about the redhat-sysadmin-list
mailing list