libnss_ldap

Sami Haahtinen ressu at ressukka.net
Tue Apr 11 17:13:51 BST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andy Rabagliati wrote:
> I do not think libpam-ldap is important - pam_unix has handled ldap for
> a long time without help. nscd would be handy though - maybe I should
> add that as well ?

EEP!

If you promote libnss-ldap promote libpam-ldap too, it's not sane to run
libnss-ldap for authentication security wise. if you do authentication
with libnss-ldap you will have to store a DN and a password that is able
to read all passwords in the ldap database. Unless the ldap database is
very carefully set up (as in, the configuration is altered from the
default of slapd for example) the same account is able to change the
passwords (and other data) too. This brings up the situations where that
user can inject a fake root account in to the ldap database and from
there compromise the whole network.

libpam-ldap doesn't require such a password in the configuration files
and so is able to go around this problem.

Of course an unsecure setup is always unsecure, with the right methods
all setups are semi safe. when using libpam-ldap you don't have to do
the wrong thing in the first place.

- - S
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEO9W/qbb3MLg9dhwRAtrzAKDEcM6KPXyFVHHqSdGy+4pgMwsQ3wCdHqgh
JWTEevbRY8VJNtXaW2Tfmbo=
=Lt8t
-----END PGP SIGNATURE-----




More information about the ubuntu-devel mailing list