On Mon, Apr 08, 2002 at 08:23:17AM +0300, Sami Haahtinen wrote: > On Sun, Apr 07, 2002 at 08:14:26PM -0700, Luca Filipozzi wrote: > > Two choices (I like lists :) ): > > > > (1) use libpam-ldap: > > i recommend this.
I also recommend this. > > (2) don't use libpam-ldap: > > You don't have to use libpam-ldap. You could just use > > libnss-ldap and have the ldap server transfer the password > > hashes to the workstations in the clear ... which is equivalent > > to NIS. You could also use libnss-ldap with SSL/TLS so that the > > hashes are transferred more securely (equivalent to NIS+). > > i don't recommend the above to anyone (do as i say, not as i do.. =) it > will cause problems, you are forced to enter the database access > password to the configuration, which you will then need to make readable > to root, which in turn forces you to use nscd. No, you don't. You can set the ACLs in slapd.conf for userPassword to 'by * read'. Sure, it's not a good choice. That's why I said that it is the equivalent of NIS. > this also allows crackers to access your userbase, unlike libpam-ldap, > where you are not forced to allow userpassword read access to the > database. The cracker just needs to hack this machine, read the password > from config and voila, ur nt3w0rk has been 0wn3d! You don't need to put a binddn/bindpw into libnss-ldap if you make userPassword readable by all. libnss-ldap can bind anonymously. It's NIS-equivalent, however, so if the hashes are weak based on weak passwords, a dictionary attack is possible (just like NIS). Also, if you were to use a binddn/bindpw, you wouldn't use the rootdn/rootpw. Note for non-LDAP folk: userPassword is the hashed password, not the cleartext password. Luca -- Luca Filipozzi, Debian Developer [dpkg] We are the apt. You will be packaged. Comply. gpgkey 5A827A2D - A149 97BD 188C 7F29 779E 09C1 3573 32C4 5A82 7A2D -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]