I agree completely that LDAP as a standard, especially with Postgresql LFS
authentication (including web systems scalability) is a viable, already
engineered solution that will do what he needs.
If he follows the HowTo's initially, he should be able to get this solution up
and running and be a
ok now here is a question.
how well would this concept play with something like open-likewise and
domain authentication?
how closely do you think we could merge the two user databases in this case?
(im a Linux machine stuck in a windows network. but at least i can admin both!)
On Fri, Jan 2, 20
AD takes care of the Windows side completely to include Domain Admin, etc.
OpenLDAP is trivial to configure for this.
open-likewise simply puts it's own framework over it all.I would build up test
systems to see what you like, but really LDAP is easy once you get the hang of
it.
I have imple
any suggested reading?
On Fri, Jan 2, 2009 at 8:55 AM, Lisa Kachold wrote:
> AD takes care of the Windows side completely to include Domain Admin, etc.
> OpenLDAP is trivial to configure for this.
>
> open-likewise simply puts it's own framework over it all.
>
> I would build up test systems to s
On Fri, 2009-01-02 at 15:55 +, Lisa Kachold wrote:
> AD takes care of the Windows side completely to include Domain Admin,
> etc. OpenLDAP is trivial to configure for this.
>
> open-likewise simply puts it's own framework over it all.
> I would build up test systems to see what you like, but
open-LikeWise will not synchronise as far as i can tell, its more of a
authentication tool, or the free one is. but if your on a Linux
machine and need to auth against a Domain its handy.
It also appears that the next version of freeIPA (2.0) is looking to
make it less fedora only. which will be v
LDAP, RFC 4513 has some security issues. In any security model, we mitigate
possible problems with layered technology.
RFC: http://www.rfc-editor.org/rfc/rfc4513.txt
PCI Compliance and LDAP Security:
The
best way to mitigate LDAP network issues, is through PCI compliance or
isolated serve
On Fri, 2009-01-02 at 10:07 -0700, Stephen wrote:
> open-LikeWise will not synchronise as far as i can tell, its more of a
> authentication tool, or the free one is. but if your on a Linux
> machine and need to auth against a Domain its handy.
>
> It also appears that the next version of freeIPA (
Craig,
Thanks for the info on FreeIPA. It sounds like you have quite a bit of
experience with LDAP. Maybe you can answer some questions.
In the past when I tried to configure LDAP with nsswitch, I remember
that I had to put the Admin credentials in a file in /etc. Also, at the
time ldap did no
On Fri, 2009-01-02 at 13:09 -0700, Joe wrote:
> Craig,
>
> Thanks for the info on FreeIPA. It sounds like you have quite a bit of
> experience with LDAP. Maybe you can answer some questions.
>
> In the past when I tried to configure LDAP with nsswitch, I remember
> that I had to put the Admin c
The only fair tax is no tax. Otherwise someone is being
hit disproportionately. Of course that someone varies based on how you
score it. Thus: fair tax = no tax.
On Thu, Jan 1, 2009 at 8:34 AM, Lisa Kachold wrote:
> Abolishing the IRS? Sure, that's got to save a mint!
>
> While I haven't dig
Thats all fine and good, but when it comes down to it, we wouldn't have
a government if no one paid any taxes.
That means no one to defend our borders, or make the laws or manage the
society properly...
Take a look at Ethiopia and you'll see an example of "lack of government"
a fair tax would b
On Fri, 2009-01-02 at 15:04 -0700, Technomage wrote:
> Thats all fine and good, but when it comes down to it, we wouldn't have
> a government if no one paid any taxes.
> That means no one to defend our borders, or make the laws or manage the
> society properly...
>
> Take a look at Ethiopia and
sldap is available for gentoo, FedoraCore/Redhat/Centos, SLES/SUSE,
Ubuntu/Debian.
While it all uses encryption, many clients and server LDAP implementations
include various exploits and on a shared network LDAP (and NIS) are sent clear
text.
Modern TSL is used in OpenLDAP, but can be tri
Good point on TLS. The /etc/ldap.secret is where I had the problem. If
you put that file on an end users machine, wouldn't they be able to boot
into single user mode or sudo and read that file? Doesn't that file
provide the keys to the kingdom? Once you have full read access to the
directory. c
On Fri, 2009-01-02 at 16:40 -0700, Joe wrote:
> Good point on TLS. The /etc/ldap.secret is where I had the problem. If
> you put that file on an end users machine, wouldn't they be able to boot
> into single user mode or sudo and read that file? Doesn't that file
> provide the keys to the kingdo
On Fri, 2009-01-02 at 16:40 -0700, Joe wrote:
> Good point on TLS. The /etc/ldap.secret is where I had the problem. If
> you put that file on an end users machine, wouldn't they be able to boot
> into single user mode or sudo and read that file? Doesn't that file
> provide the keys to the kingdo
Correct! Bingo! You understand the process.
So, your LDAP server optimally would:
1) Not have /etc/sudoers wide open (shells disabled, be unable to escape a vi
to root command shell) and only do a few commands.
2) Have good permissions, and/or have no shell or X users with privs.
3) Be comple
Under LDAP, the user exchanges a token (just like cookies), so they triangulate
with the server. But it's not "secure" any more than lock boxes are to
physical home security where the combination can be easily obtained. If/when
you install the recent OpenLDAP, the cilent obfuscates it's key
Good points Craig. I can see you are a true "administrator" where you think in
systemic terms and context is everything.
Black and White (good bad) simplistic and linear thinking is not the moniker
of the seasoned administrator.
LDAP is a good, well developed and heavily implemented tool. It
On Sat, 2009-01-03 at 02:48 +, Lisa Kachold wrote:
> Here's the definitive guide for hammering down LDAP, noting defaults
> for use, etc.
> http://eatingsecurity.blogspot.com/2008/11/openldap-security.html
I'd hardly call it a definitive guide to hammering down LDAP when there
are only 2 A
Sorry Craig, I had to jump in again. smbpasswd -w drives you crazy? From
the Eating Security page, this is what I was talking about eariler:
"Another file with a plain text password is /etc/ldap.secret. This file
must contain the rootdn password in plain text, but is again somewhat
mitigated wi
On Fri, 2009-01-02 at 21:08 -0700, Joe wrote:
> Sorry Craig, I had to jump in again. smbpasswd -w drives you crazy? From
> the Eating Security page, this is what I was talking about eariler:
>
> "Another file with a plain text password is /etc/ldap.secret. This file
> must contain the rootdn pas
On Fri, Jan 2, 2009 at 6:02 PM, Lisa Kachold wrote:
> Correct! Bingo! You understand the process.
>
> So, your LDAP server optimally would:
>
> 1) Not have /etc/sudoers wide open (shells disabled, be unable to escape a
> vi to root command shell) and only do a few commands.
> 2) Have good permis
24 matches
Mail list logo
